Security Incidents mailing list archives
Re: "Quova.net" (Exodus downstream customer)
From: rune () TRANS4MEDIA COM (Rune Kristian Viken)
Date: Tue, 20 Jun 2000 10:21:04 +0200
CC: abuse () exodus net - as its obviously where it was sent. CC: concerns () quova com - as they are the ones beeing defamed. On Sat, 17 Jun 2000, measl () mfn org wrote:
What really bugs me is that the web site for the originator clearly implies that this type of illicit probing is what the company "does for a living": "Quova is a stealth-mode, Internet infrastructure company...". This email is being posted to various lists in order to warn them of this "company"'s propensities, and to the fact that their traffic originates with Exodus... Please put a stop to this.
Ahh, how I *love* clueless reports. And how I *love* to get lists I subscribe to trashed with ABUSE-mails. *blarhg*
Jun 15 19:51:19 65500 Deny ICMP:8.0 64.28.74.182 204.238.179.1 in via vx3
OK, lets see. runevi@obelix:/home/runevi$ host -v 64.28.74.182 | grep PTR 182.74.28.64.IN-ADDR.ARPA 86035 IN PTR dcexbo200.quova.net runevi@obelix:/home/runevi$ nslookup dcexbo200.quova.net *** localhost can't find dcexbo200.quova.net: Non-existent host/domain runevi@obelix:/home/runevi$ traceroute -f 13 64.28.74.182 traceroute to 64.28.74.182 (64.28.74.182), 30 hops max, 38 byte packets 13 dcr03-g1-0.wlhm01.exodus.net (64.14.70.49) 133.751 ms 149.299 ms 136.130 ms 14 64.14.80.130 (64.14.80.130) 136.162 ms 141.632 ms 136.408 ms 15 dcexbo200.quova.net (64.28.74.182) 134.493 ms 140.788 ms 148.129 ms Okay.. exodus.net is upstream for this reverse-only domain. runevi@obelix:/home/runevi$ host -l quova.net quova.net name server ns1.quova.com quova.net has address 208.37.145.34 ftp.quova.net has address 208.37.145.39 www.quova.net has address 205.177.226.233 hmm... quova.com host -l shows a bunch of more ip's, and so forth. Well.. it seems the only thing resolving to exodus at all, is the reverse-dns-lookup of an IP ... the funny thing is, I cannot see how that can be quova.net's responsibility. Anyone can choose anything as reverse-dns for an ip. I could let one of my Ip's reserve to "lets.show.him" if I want - just edit the zonefile. The point here is - you - measl () mfn org - are NOT showing how the IP you mention are in connection with quova.net . And, your quote from their frontpage is - from what I just read at their frontpage, EXTREMELY MISPLACED. Their company is an ISP or something. Not a "probing company" - at least from what I can determine. -- "Rune Kristian Viken" <rune () trans4media com> <http://arcade.kvinesdal.com> System, Network & Security Administrator. Phone: (+47) 92 85 34 38
Current thread:
- "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 17)
- Re: Quova.net M J (Jun 20)
- Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
- Re: Quova.net Brett Glass (Jun 20)
- Hacked by the script kiddie - an ordinary netadmin's day Jakub Urbanec (Jun 21)
- SV: Hacked by the script kiddie - an ordinary netadmin's day Kim C. Saxvik (Jun 23)
- Addendum: scanned - strange! Sir Scriptzalot (Jun 21)
- Re: Quova.net Fabio Bastiglia Oliva (Jun 20)
- Re: Quova.net Valdis Kletnieks (Jun 20)
- Re: Quova.net M J (Jun 20)
- <Possible follow-ups>
- Re: "Quova.net" (Exodus downstream customer) Rune Kristian Viken (Jun 20)
- Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
- Re: "Quova.net" (Exodus downstream customer) Cold Fire (Jun 23)
- Interesting research paper Alfred Huger (Jun 25)
- DOS attack Bogdan Catalin Donici (Jun 26)
- Re: "Quova.net" (Exodus downstream customer) Missouri FreeNet Administration (Jun 22)
- Re: "Quova.net" (Exodus downstream customer) Nicholas de Jong (Jun 20)