Security Incidents mailing list archives
Re: Source of attack: Russian nuclear facility?
From: //Stany <stany () NOTBSD ORG>
Date: Tue, 8 Aug 2000 02:28:33 -0400
On Sun, 6 Aug 2000, Bryan Willett wrote:
I created a php based gaming site: www.merchantempires.net. An unknown person with IP addresses used by iate.obninsk.com, is currently hacking the site. He/she is using some method to cheat in the game through altering the database. I haven't figured out if its a simple php bug or other vulnerability.
Hrm. Ok, according to www.obninsk.com, it's just a local ISP in a city of Kaluga in Russia. I am confused as to how you consider this to be a nuclear facility. Considering that the page has no English text, this sounds like a bit of exageration. I tried a few DNS servers, and still can not resolve iate.obninsk.com, so probably providing an IP and snippet of the logs will be more effective in teh future.
As to why someone who works for a nuclear facility would spend their time hacking my site, I can't say. It seems a little alarming.
See above, it's just an ISP, and yes, there are many ISPs which higher immature people for lack of better talent locally available, or because the people that are hired have good bullshitting or social engineering skills.
I ftped over to the origin IP and discovered that their is a large warez collection.
Doesn't surprize at all - Russia is a country where copyrights are not really enforcable. Microsoft surly has trouble. However high speed access to internet (yes, 512K frame relay link is high speed commerical grade access there, worth thousands of dollars) is a valuable commodity, and is used to obtain "free software".
Who do you contact in situations of foreign based intrusion such as this?
Usually one tries the usual things: whois, email to the administrative contact, if no reaction, traceroute, another whois, e-mail to the administrative contact of the uplink, if still no reaction, then block at the router/firewall of your site. In the case of obninsk.com, here is the whois record: Registrant: JSC Elecs, Kaluga (OBNINSK-DOM) 38, Teatralnaya st. Kaluga, 248600 RU Domain Name: OBNINSK.COM Administrative Contact, Billing Contact: Kartashev, Igor I (IIK) ikar () KALUGA ROSMAIL COM JSC Elecs 38, Teatralnaya st., Kaluga 248600 RU +7 084 253 1116 (FAX) +7 084 224 2016 Technical Contact, Zone Contact: Merdin, Paul A (PAM27) mrd () KALUGA ROSMAIL COM JSC Elecs, Kaluga 38, Teatralnaya str. Kaluga 248600 RU +7 084 2 531258 (FAX) +7 084 22 42016 Record last updated on 27-May-2000. Record expires on 07-Jun-2001. Record created on 06-Jun-1997. Database last updated on 8-Aug-2000 02:11:16 EDT. Domain servers in listed order: NS.KALUGA.COM 195.90.136.1 NS.ROSNET.RU 195.90.128.117 NS.GLASNET.RU 193.124.5.34 NS2.ROSNET.RU 195.90.128.137 IIS.KALUGA.COM 195.90.136.2 So try e-mailing Paul Merdin, but keep in mind that more then likely the person at the other end doesn't speak good English (if at all), so please use simple language, and provide plenty of logs, including time stamps, and information in what time zone you are, sop they could correlate their logs. Being polite helps a great deal. I wish you luck. Please don't jump to conclusions so fast next time. P.S. Yes, I do speak, read and understand Russian, and yes, my X is configured to grok Russian character encoding, so yes, I am qualified to tell you that it is NOT a nuclear plant. Signed: //Stany -- +-------+ Stanislav N Vardomskiy - Procurator Odiosus Ex Infernis[TM] +-------+ | "Backups we have; it's restores that we find tricky." Richard Letts at ASR | | This message is powered by JOLT! For all the sugar and twice the caffeine. | +--------+ My words are my own. LARTs are provided free of charge. +---------+
Current thread:
- Source of attack: Russian nuclear facility? Bryan Willett (Aug 07)
- Re: Source of attack: Russian nuclear facility? Vitaly Osipov (Aug 08)
- Re: Source of attack: Russian nuclear facility? Ian Eure (Aug 08)
- Re: Source of attack: Russian nuclear facility? //Stany (Aug 08)
- Re: Source of attack: Russian nuclear facility? Pavel Lozhkin (Aug 09)
- <Possible follow-ups>
- Re: Source of attack: Russian nuclear facility? JLNelson (Aug 08)
- Re: Source of attack: Russian nuclear facility? Al Huger - Mail Account (Aug 09)
- Re: Source of attack: Russian nuclear facility? Richard Johnson (Aug 10)
- Re: Source of attack: Russian nuclear facility? T. H. Haymore (Aug 09)
- Re: Source of attack: Russian nuclear facility? Al Huger - Mail Account (Aug 09)
- Re: Source of attack: Russian nuclear facility? J. Oquendo (Aug 08)
- Re: Source of attack: Russian nuclear facility? Doug Winter (Aug 10)
- Re: Source of attack: Russian nuclear facility? David Pick (Aug 13)
- Re: Source of attack: Russian nuclear facility? WebFusion System Administrator (Aug 13)
- Re: Source of attack: Russian nuclear facility? Richard_Bartlett (Aug 13)
(Thread continues...)