Search

Recent Posts

Tags


« | Main | »

Reporting Network Abuse and/or Hacked Systems

By Dale Reagan | September 26, 2011

**Who Ya Gonna Call?

Before we can figure out where to send network/system abuse reports to we need to understand who might actually be responsible, or, who might accept responsibility for the resource/network from whence  possible abuse is originating…

With the slate of high profile reported system and network ‘hacks’ in 2011 you might think that ISPs (internet service providers) and systems professionals responsible for networks and servers are not ‘awake’

This is one of those problems where the answer(s) are most likely at least somewhat complex – if you did a root cause analysis for the major system hacks of 2011 what would the similarities be?  Some possible answers:

For small companies or one-man shops:

  • Uncle-Bubs-Shirt-Company only cares about supporting customers via the web – they do not care about how the web site works…
  • Uncle-Slix-Web-Design&Programming only cares about keeping costs down and margins up…
  • Uncle-Devs-Web-Hosting realizes that they are in a commodity business so all possible corners are cut…

So what’s the big deal?

The reality is…

We ALL PAY for hacking via in-direct losses and/or increased prices of goods and services…  No one wins.

So, how do you report network/system abuse in 2011?

How do you figure this out who is responsible for a Domain? Server? Network?

There are a number of free tools that you can use to look-up domains and IP addresses – sample starting point is Internic Whois.  You may want to review some background on the domain name system (DNS.)  When you are searching by IP numbers then you need reverse DNS tools.  Using such tools is fine – but it does take some time. You may be able to speed up locating a responsible party by using a web site like Abuse.net (the site provides a DNS tool along with links to many resources.)  Abusix.Org provides a similar set of abuse-related resources. Note that my limited experience indicates that the data from Abusix.org is stale/dated – I would not the information as a reliable contact source; I would use it as an ‘indicator’.

X-arf – network abuse reporting 2.0

How should network/system abuse be reported (what format?)  Is there an automated solution that will provide some sort of contact information when you are dealing with network/systems abuse? X-arf provides a detailed, schema based, email format for reporting such issues. The site includes links to ready-to-use tools.  So, what might be a fast/quick way to dig out an abuse-responsible contact?

Sample from Abusix.Org (along with requested text)

We start with an example IP from server logs – either SPAM, web hacking or other unwanted activity is recorded.  First we check the GeoIP information for the suspect IP and we get:

50.97. 212.202 |  US, TX, Dallas

So, the IP appears to be in the US.  We use the system level tool ‘whois’ and get this:

American Registry for Internet Numbers NET50 (NET-50-0 -0-0-0) 50.0 .0.0 – 50.255. 255.255
SoftLayer Technologies Inc. SOFTLAYER-4-10 (NET-50-97 -0-0-1) 50.97 .0.0 – 50.97. 255.255

The above tells us that this IP space is managed by ARIN and that top-level responsible company for the IP-space is Soft Layer (* this is who you contact if you don’t get a response from the IP-user; in this example you could also CC SoftLayer in your communications.)

+ host -t any 50.97. 212.202.abuse-contacts.abusix.org
50.97. 212.202.abuse-contacts.abusix.org has address 127.0.0.1
50.97. 212.202.abuse-contacts.abusix.org descriptive text “hostmaster@nic. ad.jp”

*************** Reference_Info ***************
The recipient address of this report was provided
by the Abuse Contact Database of abusix.org. If you
have any question or think the recipient address
might be wrong, contact abusix.org directly via
email (info@abusix.org). Further information about
the Abuse Contact Database can be found here:

http://abusix.org/services/abuse-contact-db

abusix.org is neither responsible nor liable for
the content or accuracy of this message.

Ok, looks like we have an IP that is network-managed and/or hosted by a US company, but, appears to be directly connected to an entity in a foreign country – in this case, Japan…  At this point you could initiate a contact to the email address found using the Abusix.org lookup; since the suspected abuse directly traversed IP space shown as being managed by a US company then I would simply report issues to the US company.

Why US IP-Space appears to be in use out-side the US?

Some examples follow  where GeoIP information is correlated with IP space and Abusix.org information; the table below contains data that is  unconfirmed/not-verified so it may not be accurate.  What is interesting is what seems to be a connection between US & foreign IP space.  The three-lines-per-IP list below shows:

  1. the contact abuse-email-contact response from Abusix.org
  2. the GeoIP data for the IP in question
  3. the GeoIP data for the abuse-email-contact domain

This process is full of GIGO (garbage-in/garbage-out) potential – there is no guarantee that the information is accurate or current.  If any of the data is accurate then it does point to the potential for using GeoIP data to resolve issues like systems & network abuse; it also highlights the ‘accuracy problem’ of using any type of GeoIP data…  The IP addresses below were found in server log files and flagged with possible non-normal activity.

  1. 108.62.1 95.121.abuse-contacts.abusix.org descriptive text “abuse@net.edu.cn
  2. 108.62. 195.121 | 108.62.195.121 | US , WA, Seattle
  3. 108.62. 195.121 | net.edu.cn | CN , 22, Beijing
  1. 64.233. 182.83.abuse-contacts.abusix.org descriptive text “abuse@swip.net
  2. 64.233. 182.83 | 64.233.182.83 | US , CA, Mountain View
  3. 64.233. 182.83 | swip.net | SE , N/A, N/A
  1. 206.80. 112.124.abuse-contacts.abusix.org descriptive text “wang@mail.hf.ah.cninfo.net
  2. 206.80.1 12.124 | 206.80.112.124 | US , ID, Boise
  3. 206.80. 112.124 | mail.hf.ah.cninfo.net | No GeoIP info for: ( mail.hf.ah.cninfo.net )
  1. 75.118. 157.118.abuse-contacts.abusix.org descriptive text “abuse@dion.ne.jp
  2. 75.118. 157.118 | 75.118.157.118 | US , OH, Strongsville
  3. 75.118.1 57.118 | dion.ne.jp | No GeoIP info for: ( dion.ne.jp )
  1. 173.192. 238.57.abuse-contacts.abusix.org descriptive text “noc@sita.net
  2. 173.192.2 38.57 | 173.192.238.57 | US , TX, Dallas
  3. 173.192. 238.57 | sita.net | CZ , 52, Praha
  1. 173.192 .238.58.abuse-contacts.abusix.org descriptive text “ip-adm@hanaro.com
  2. 173.192. 238.58 | 173.192.238.58 | US , TX, Dallas
  3. 173.192.2 38.58 | hanaro.com | KR , 11, Seoul
  1. 173.193. 219.168.abuse-contacts.abusix.org descriptive text “syoon@samsung.com
  2. 173.193 .219.168 | 173.193.219.168 | US , TX, Dallas
  3. 173.193. 219.168 | samsung.com | KR , 11, Seoul

So, how do you get more accurate information?

Using DNS information may provide more accurate results, i.e. the command:

whois 108.62 .195.121

returns with:

Ok, we see that:

In this case it appears that Ubiquity should be the first contact point followed by Nobis – if you contact Arin they will simply refer you ‘back down’ the tree…  So what about the apparent China connection (based on “abuse@net.edu.cn”?)  Let’s dig a bit more:

host 108.62.195.121
121.195.62.108.in-addr.arpa domain name pointer 108.62.195.121.rdns.ubiquityservers.com

The ‘host’ command (on Linux) get’s us to the responsible party a bit faster (and confirms the summary above.)  Now we need more detailed contact information – who should web report problems to?  Using one of the many on-line web ‘whois/dns lookup’ sites you can locate more detailed information, i.e.:

3. Record # NET-108-62-192-0-1 received from whois.arin.net

NetRange: 108.62.192.0 – 108.62.195.255
CIDR: 108.62.192.0/22
OriginAS: AS15003
NetName: NETBLK-UBIQUITY-SEATTLE-108-62-192-0
NetHandle: NET-108-62-192-0-1
Parent: NET-108-62-0-0-1
NetType: Reallocated
Comment: Addresses in this block are non-portable.
Comment: For security issues, abuse reports, and
Comment: technical issues, please contact the
Comment: Nobis Technology Group NOC at admin@nobistech.net
RegDate: 2011-03-27
Updated: 2011-03-27
Ref: http://whois.arin.net/rest/net/NET-108-62-192-0-1
OrgName: Ubiquity Server Solutions Seattle
OrgId: NTGL-5
Address: 12101 Tukwila International Blvd
Address: Suite 100
City: Tukwila
StateProv: WA
PostalCode: 98168
Country: US
RegDate: 2008-03-05
Updated: 2011-01-10
Comment: +++++++++++++++++++++++++++
Comment: Ubiquity Server Solutions
Comment: http://www.ubiquityservers.com
Comment: Seattle, WA
Comment: +++++++++++++++++++++++++++
Comment:
Comment: For all inquiries relating
Comment: to network abuse, network
Comment: security, DMCA, trademark,
Comment: legal compliance, and law
Comment: enforcement requests, contact
Comment: abuse@nobistech.net via e-mail
Comment: or via postal mail as follows:
Comment:
Comment: Nobis Technology Group
Comment: ATTN IP Network Operations
Comment: 6930 East Chauncey Lane
Comment: Suite 150
Comment: Phoenix, AZ 85054
Ref: http://whois.arin.net/rest/org/NTGL-5
ReferralServer: rwhois://rwhois.nobistech.net:4321
OrgNOCHandle: NOC2466-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-480-212-1710
OrgNOCEmail: admin@nobistech.net
OrgNOCRef: http://whois.arin.net/rest/poc/NOC2466-ARIN

OrgTechHandle: AIA12-ARIN
OrgTechName: ARIN IP Admin
OrgTechPhone: +1-480-212-1710
OrgTechEmail: arin@nobistech.net
OrgTechRef: http://whois.arin.net/rest/poc/AIA12-ARIN

OrgAbuseHandle: ABUSE1601-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-480-212-1710
OrgAbuseEmail: abuse@nobistech.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE1601-ARIN

Another approach – use the listed ‘rwhois’ resource from Nobistech to see if we can get information that is tied to the IP address:

whois -p 4321 -h rwhois.nobistech.net 108.62.195.121
[Querying rwhois.nobistech.net]
[rwhois.nobistech.net]
%rwhois V-1.0,V-1.5:00090h:00 my.ubiquityservers.com (Ubersmith RWhois Server V-2.1.0)
autharea=108.62.192.0/22
xautharea=108.62.192.0/22
network:Class-Name:network
network:Auth-Area:108.62.192.0/22
network:ID:NET-27925.108.62.195.0/24
network:Network-Name:Secondary Assignment – Ticket ID VZJ-362-57710
network:IP-Network:108.62.195.0/24
network:IP-Network-Block:108.62.195.0 – 108.62.195.255
network:Org-Name:Boboc, Alexandru
network:Street-Address:Calea Victoriei 91-93
network:City:Bucharest
network:State:RO
network:Postal-Code:10012
network:Country-Code:RO
network:Tech-Contact:MAINT-27925.108.62.195.0/24
network:Created:20110403003326000
network:Updated:20110403003326000
network:Updated-By:admin@nobistech.net
contact:POC-Name:Nobis Network Administration Team
contact:POC-Email:admin@nobistech.net
contact:POC-Phone:admin@nobistech.net
contact:Tech-Name:Nobis Network Administration Team
contact:Tech-Email:admin@nobistech.net
contact:Tech-Phone:admin@nobistech.net
contact:Abuse-Name:Nobis Network Abuse Team
contact:Abuse-Email:abuse@nobistech.net
contact:Abuse-Phone:abuse@nobistech.net

Finally, we see what appears to be authoritative information indicating the the IP in question (actually, a set of IP addresses) seem to be end-user-managed/used in Romania (RO.)  Since the data indicated that an entire sub-net is reserved in this net-block then this responsible party in Romania may be an ISP or some other network-related provider (who could, in turn, be providing Internet access to a Chinese entity, hence the preceding reference to a contact in China.)

Based on the above – some suggestions

As always, your mileage should vary, at least a little bit.  🙂

** I started this post several days BEFORE reading that Ghost Busters will be returning to theaters in the fall of 2011…

Topics: Computer Technology, System and Network Security, Unix-Linux-Os, Web Problem Solving | Comments Off on Reporting Network Abuse and/or Hacked Systems

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________