View Full Version : Need geek help on tracking domain

02-02-2005, 10:11 PM

We've been getting hit hard in bandwidth by the following people: prazak.kkcable.cz, who resolve to on a ping. I'm seeing this location for the last couple months, and they're transferring more bandwidth by themselves than all the rest of the connections together.

Anyone who can help me figure out if this is legit, and if not, who the hell they are, *please* get with me, ok? I'm getting bandwidth warnings on my host, and this hit is pushing the limits of what I can use for *all* my sites, personal and business. which is Not Good.


02-02-2005, 10:27 PM
I'm on it. I will report back here in just a bit.

02-02-2005, 10:30 PM
Hey Vicky,

I've looked this up for you. This info includes some email info.


This one has an address so you can march up to their house and pound on their door! ;)

http://www.networksolutions.com/en_US/whois/results.jhtml;jsessionid=YYFZPKVMJD3PMCWMEAPSFFA?w hoistoken=0&_requestid=158579

02-02-2005, 10:32 PM
prazak.kkcable.cz = [ ]

domain: kkcable.cz
admin-c: KKCABLECZ
nserver: ns1.profihelp.cz ns2.profihelp.cz
role: KK cable v.o.s
address: Masarykova 159
address: Milevsko
address: 399 01
address: The Czech Republic
admin-c: KOSTALMI
tech-c: KOSTALMI
bill-c: KOSTALMI
nic-hdl: KKCABLECZ
e-mail: serviskk@taborak.cz

role: PROFI HELP s.r.o.
address: Palackeho 350
address: Tabor
address: 390 01
address: The Czech Republic
admin-c: KARVAN
tech-c: KARVAN
bill-c: KARVAN
e-mail: info@profihelp.cz

person: Ji=F8=ED Ko=B9=BB=E1l
address: Sokolovsk=E1 1425
address: Milevko
address: 399 01
address: The Czech Republic
phone: 420 368251593
nic-hdl: KOSTALMI
e-mail: kkcable@kkcable.cz

person: Petr Karvan
address: Pod Trznim nam. 829
address: Tabor
address: 390 01
address: The Czech Republic
phone: 420 604101187
nic-hdl: KARVAN
e-mail: karvan@tabor.cz

Though I would caution against emailing any of those addresses. More often than not they are not read or the even don't exist. Many times (if this is a illegitimate company) they will collect your address and sell it to spammers.

I am still investigating.

02-02-2005, 10:41 PM
They seem to be associated with sbone.cz

Non-authoritative answer: name = prazak.kkcable.cz.

Authoritative answers can be found from:
14.29.213.in-addr.arpa nameserver = ns2.sbone.cz.
14.29.213.in-addr.arpa nameserver = ns.sbone.cz.
ns.sbone.cz internet address =
ns2.sbone.cz internet address =

sbone.cz seems to be related to (the same as most likely) aliatel.cz which is a hosting company from the looks of it.

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: -
netname: ALIANET
descr: Network of Aliatel
country: CZ
admin-c: PG596-RIPE
tech-c: AHST1-RIPE
changed: petr.gomola@aliatel.cz 20021128
source: RIPE

descr: CZ-ALIATEL-20000623
origin: AS15485
mnt-lower: ALIATEL-MNT
mnt-routes: ALIATEL-MNT
changed: petr.safarik@aliatel.cz 20000714
changed: petr.gomola@aliatel.cz 20010808
source: RIPE

role: Aliatel Hostmasters
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25251111
fax-no: +420 2 25251122
trouble: 24/7 NCC +420 2 25251777
e-mail: hostmaster@sbone.cz
admin-c: PG596-RIPE
tech-c: PG596-RIPE
tech-c: ZN3-RIPE
tech-c: MK241-RIPE
nic-hdl: AHST1-RIPE
changed: Petr.Gomola@aliatel.cz 20040326
source: RIPE

person: Petr Gomola
address: Aliatel a.s.
address: Sokolovska 86
address: Praha 8 - Karlin
address: 186 00
address: Czech Republic
phone: +420 2 25253814
fax-no: +420 2 25252751
e-mail: Petr.Gomola@aliatel.cz
nic-hdl: PG596-RIPE
notify: Petr.Gomola@aliatel.cz
mnt-by: PG-MNT
changed: Petr.Gomola@aliatel.cz 20041101
source: RIPE

Aliatel's upstream seems to be telia.net.

02-02-2005, 10:44 PM
In the interim you can put this in your .htaccess at the site root to slow them down.

order allow,deny
deny from
allow from all

This will deny access to the GotMead web from that IP. While it won't stop them from trying it will reduce the amount of bandwidth they consume to almost nothing.

Have you spoken with your hosting provider? They may have other/better ways to deal with the issue.

02-02-2005, 10:49 PM
Hey Vicky. Just a thought. Do you have access to the webserver logs? Can you tell what they are doing? Are they spidering the site? How many connections/gets in a single visit? How fast are the connections? If you are comfortable with it PM me a section of the logs from when they are active.

02-02-2005, 11:41 PM
Log on the way......

02-03-2005, 12:09 AM
Alright it's definately some sort of brute force hack attempt. None of the pages they try to access even exist. I am guessing they are trying to capitalize on some sort of vulnerability but I can't find one for SMF that would match this type of attack.

1246 attempts in three and a half hours is pretty ridiculus!

My suggestion would be to contact your hosting provider and see if there is anything they can do to block them. If not see if they would be willing to help you bring the issue up with the upstream provider for

Personally I would go to telia.net first. My guess is that even though Aliatel seems to be their hosting provider generally if these buys have gotten away with it for a few months their hosting provider does't really care.

For the short term (or if none of the above pan out) I would go with the .htaccess I suggested above.

02-03-2005, 03:15 AM
I think that Jab's approach makes sense. From a DOS kind of attack standpoint, it doesn't sound like they're trying to datastorm your ports, rather, they seem to be looking for a jump off point so they can hammer the site once they're in.

I'd also copy the log and reverse tracert to telia.net, and if you don't get response you may consider sending one to one of our "International" police agencies. I'll PM you with some thoughts on that.

If they were spidering they should have been done with that a while back, so it looks like they're trying for something more than casual page information. The .htaccess sounds like a great way to slow them down for the short haul and kind of wait and see what they do from there.



02-03-2005, 07:00 PM
Also (not directly related, but another security enhancement)

add index.php to your list of default web pages
(DirectoryIndex parameter somewhere in the httpd.conf config file if your using apache),
so that people can't get a directory listing of files.