Re: Source of attack: Russian nuclear facility?

[//Stany <stany () NOTBSD ORG>]

On Sun, 6 Aug 2000, Bryan Willett wrote:

> I created a php based gaming site: www.merchantempires.net.
>
> An unknown person with IP addresses used by iate.obninsk.com,
> is currently hacking the site.  He/she is using some method
> to cheat in the game through altering the database.  I haven't
> figured out if its a simple php bug or other vulnerability.

Hrm.

Ok, according to www.obninsk.com, it's just a local ISP in a city of
Kaluga in Russia.  I am confused as to how you consider this to be a
nuclear facility.  Considering that the page has no English text, this
sounds like a bit of exageration.

I tried a few DNS servers, and still can not resolve iate.obninsk.com, so
probably providing an IP and snippet of the logs will be more effective in
teh future.

> As to why someone who works for a nuclear facility would
> spend their time hacking my site, I can't say.  It seems
> a little alarming.

See above, it's just an ISP, and yes, there are many ISPs which higher
immature people for lack of better talent locally available, or because
the people that are hired have good bullshitting or social engineering
skills.

> I ftped over to the origin IP and discovered that their
> is a large warez collection.

Doesn't surprize at all - Russia is a country where copyrights are not
really enforcable.  Microsoft surly has trouble.  However high speed
access to internet (yes, 512K frame relay link is high speed commerical
grade access there, worth thousands of dollars) is a valuable commodity,
and is used to obtain "free software".

> Who do you contact in situations of foreign based intrusion
> such as this?

Usually one tries the usual things:  whois, email to the administrative
contact, if no reaction, traceroute, another whois, e-mail to the
administrative contact of the uplink, if still no reaction, then block at
the router/firewall of your site.

In the case of obninsk.com, here is the whois record:
Registrant:
JSC Elecs, Kaluga (OBNINSK-DOM)
   38, Teatralnaya st.
   Kaluga, 248600
   RU

   Domain Name: OBNINSK.COM

   Administrative Contact, Billing Contact:
      Kartashev, Igor I  (IIK)  ikar () KALUGA ROSMAIL COM
      JSC Elecs
      38, Teatralnaya st.,
      Kaluga
      248600
      RU
      +7 084 253 1116 (FAX) +7 084 224 2016
   Technical Contact, Zone Contact:
      Merdin, Paul A  (PAM27)  mrd () KALUGA ROSMAIL COM
      JSC Elecs, Kaluga
      38, Teatralnaya str.
      Kaluga
      248600
      RU
      +7 084 2 531258 (FAX) +7 084 22 42016

   Record last updated on 27-May-2000.
   Record expires on 07-Jun-2001.
   Record created on 06-Jun-1997.
   Database last updated on 8-Aug-2000 02:11:16 EDT.

   Domain servers in listed order:

   NS.KALUGA.COM                195.90.136.1
   NS.ROSNET.RU                 195.90.128.117
   NS.GLASNET.RU                193.124.5.34
   NS2.ROSNET.RU                195.90.128.137
   IIS.KALUGA.COM               195.90.136.2

So try e-mailing Paul Merdin, but keep in mind that more then likely the
person at the other end doesn't speak good English (if at all), so please
use simple language, and provide plenty of logs, including time stamps,
and information in what time zone you are, sop they could correlate their
logs.   Being polite helps a great deal.

I wish you luck.  Please don't jump to conclusions so fast next time.

P.S.  Yes, I do speak, read and understand Russian, and yes, my X is
configured to grok Russian character encoding, so yes, I am qualified to
tell you that it is NOT a nuclear plant.

Signed:
//Stany
--
+-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+
| "Backups we have; it's restores that we find tricky." Richard Letts at ASR  |
| This message is powered by JOLT!  For all the sugar and twice the caffeine. |
+--------+ My words are my own.  LARTs are provided free of charge. +---------+