hi, um... those IPs are suspicious: (i just got ur eletter a few mins ago):
First of all if ur using linux/etc.. best thing is to disable the timeout in sudo privs. in Ubuntu it's 15m To do so in ur sudoers insert the following (note also logfile for passwords and last time accessed is sent to secure.log which should secure u even more):
Also are u using useragent blocking in ur .httpaccess files? U could also get and put up an ipblocker that are primeraly used by p2p users to block media ips, etc.. This should also keep ur site secure. not to mention keep gov., mil, and even RIAA and MIAA, out of this site, etc..?
if i rem. correctly ipblocker is for linux. I just forgot the exact one for windows. Atho I had trouble with it with arno-iptables-firewall.
oh well..
Also u should have the latest linux kernel updates. There were an exploit that could easily gain root access and that is fixed.
I have the test code on my website if anyone wants to use it for testing.
just cd to ur desktop or wherever u saved it, sh exploit.sh or whatever and if u get root then ur affected..
I got it on my site for if others want to test their kernel.
Also many security sites have the test exploit code too..
is my shared files site (dir). without the 8000 port is my wiki, which I gotta set-up and fine a use for.
as it's public..
24.39.219.73: This seems suspicious because HoldCO I think is from RR internal. RIAA? MIAA? Some employee from RR, I read on forums of blocking RR IPS with HoldCO in them, of course those were p2p forums. One Forum said that it looks to be an internal IP..
OrgName: Road Runner HoldCo LLC
OrgID: RCNY
Address: 13241 Woodland Park Road
City: Herndon
StateProv: VA
PostalCode: 20171
Country: US
ReferralServer: rwhois://ipmt.rr.com:4321
NetRange: 24.39.0.0 - 24.39.255.255
CIDR: 24.39.0.0/16
NetName: RR-COMMERCIAL-NYC-4
NetHandle: NET-24-39-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.BIZ.RR.COM
NameServer: NS2.BIZ.RR.COM
NameServer: DNS4.RR.COM
Comment:
RegDate: 2004-02-19
Updated: 2004-06-09
OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-703-345-3416
OrgAbuseEmail:
[email protected]OrgTechHandle: IPTEC-ARIN
OrgTechName: IP Tech
OrgTechPhone: +1-703-345-3416
OrgTechEmail:
[email protected]# ARIN WHOIS database, last updated 2008-03-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
Found a referral to ipmt.rr.com:4321.
%rwhois V-1.5:003fff:00 ipmt-02.rr.com (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:NETBLK-ISRC-24.39.128.0/17
network:Auth-Area:24.39.216.0/21
network:Network-Name:HAEFELE-TV-INC.-24.39.216.0
network:IP-Network:24.39.216.0/21
network:IP-Network-Block:24.39.216.0 - 24.39.223.255
network:Organization;I:HAEFELE-TV-INC.
network:Tech-Contact;I:
[email protected]network:Admin-Contact;I:IPADD-ARIN
network:AbuseEmail:
[email protected]network:Created:20080326
network:Updated:20080326
network:Updated-By:
[email protected]network:Class-Name:network
network:ID:NETBLK-ISRC-24.39.128.0/17
network:Auth-Area:24.39.128.0/17
network:Network-Name:ISRC-24.39.128.0
network:IP-Network:24.39.128.0/17
network:IP-Network-Block:24.39.128.0 - 24.39.255.255
network:Organization;I:Road Runner Commercial
network:Tech-Contact;I:
[email protected]network:Admin-Contact;I:IPADD-ARIN
network:Created:20080326
network:Updated:20080326
network:Updated-By:
[email protected]%ok
.............................................
62.13.171.41:suspicous? IT DEPT. ?? H3G?? Seems to be a hosting Company? http://builtwith.com/?Tre.it = notice the "Who is Hosting This" at the bottom right.
inetnum: 62.13.171.0 - 62.13.171.255
netname: H3GIT
descr: H3G IT department
country: IT
admin-c: VO175-RIPE
tech-c: RC497-RIPE
tech-c: EMF4-RIPE
tech-c: GB1450-RIPE
status: ASSIGNED PA
mnt-by: H3G-CN-MNT
source: RIPE # Filtered
person: Vittorio Orsini
address: H3G Italia S.p.A.
address: Via Cristoforo Colombo, 416 - 420
address: I 00145 Roma RM
address: Italy
phone: +39 06 59551
fax-no: +39 06 54602123
e-mail:
[email protected]nic-hdl: VO175-RIPE
source: RIPE # Filtered
person: Raffaele Celentano
address: H3G Italia S.p.A.
address: Via Cristoforo Colombo 416
address: I-00145 Roma RM
address: Italy
phone: +39 06 59556068
fax-no: +39 06 54602123
e-mail:
[email protected]nic-hdl: RC497-RIPE
source: RIPE # Filtered
person: Giuliano Biondi
address: H3G Italia S.p.A.
address: Via Cristoforo Colombo, 416 - 420
address: I 00145 Roma RM
address: Italy
phone: +39 06 59551
fax-no: +39 06 54602123
e-mail:
[email protected]nic-hdl: GB1450-RIPE
source: RIPE # Filtered
person: Enrico Maria Fondi
address: H3G Italia S.p.A.
address: Via Cristoforo Colombo, 416 - 420
address: I 00145 Roma RM
address: Italy
phone: +39 06 59556066
fax-no: +39 06 54602123
e-mail:
[email protected]nic-hdl: EMF4-RIPE
source: RIPE # Filtered
% Information related to '62.13.160.0/19AS24608'
route: 62.13.160.0/19
descr: H3G Italy SpA
descr: UMTS operator and ISP
origin: AS24608
mnt-by: H3G-CN-MNT
mnt-routes: H3G-CN-MNT
source: RIPE # Filtered
......................................................................
82.201.163.136:suspicious due to "African Internet Numbers Registry".
% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html
% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '82.201.128.0 - 82.201.255.255'
inetnum: 82.201.128.0 - 82.201.255.255
org: ORG-AFNC1-RIPE
netname: AFRINIC-NET-TRANSFERRED-20050223
descr: This network has been transferred to AFRINIC
remarks: These IP addresses are assigned in the AFRINIC region.
remarks: Authoritative registration information for this network
remarks: is available for query and modification in
remarks: the AFRINIC whois database: whois.afrinic.net or
remarks: web site: http://www.afrinic.net
remarks: The routing registry information (route(6) objects)
remarks: may be published in any Routing Registry, including
remarks: RIPE Whois Database
country: EU # country is really somewhere in African Region
admin-c: AFRI-RIPE
tech-c: AFRI-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-routes: RIPE-NCC-RPSL-MNT
source: RIPE # Filtered
organisation: ORG-AFNC1-RIPE
org-name: African Internet Numbers Registry
org-type: RIR
address: see http://www.afrinic.net
e-mail:
[email protected]admin-c: AFRI-RIPE
tech-c: AFRI-RIPE
remarks: For more information on AFRINIC assigned blocks, use
remarks: AFRINIC's whois database, whois.afrinic.net.
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
role: The African Internet Numbers Registry
org: ORG-AFNC1-RIPE
address: AFRINIC, see http://www.afrinic.net
admin-c: AFRI-RIPE
tech-c: AFRI-RIPE
nic-hdl: AFRI-RIPE
e-mail:
[email protected]remarks: For more information on AFRINIC assigned blocks, connect
remarks: to AFRINIC's whois database, whois.afrinic.net.
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered
% Information related to '82.201.128.0/18AS24863'
route: 82.201.128.0/18
descr: LINKdotNET Route
origin: AS24863
mnt-by: MAINT-LINK
source: RIPE # Filtered
% Information related to '82.201.128.0/17AS24863'
route: 82.201.128.0/17
descr: LINKdotNET route
origin: AS24863
mnt-by: MAINT-LINK
source: RIPE # Filtered
% Information related to '82.201.160.0/22AS24863'
route: 82.201.160.0/22
descr: LINKdotNET route
origin: AS24863
mnt-by: MAINT-LINK
source: RIPE # Filtered
% Information related to '82.201.160.0/21AS24863'
route: 82.201.160.0/21
descr: LINKdotNET route
origin: AS24863
mnt-by: MAINT-LINK
source: RIPE # Filtered
% Information related to '82.201.162.0/23AS24863'
route: 82.201.162.0/23
descr: LINKdotNET route
origin: AS24863
mnt-by: MAINT-LINK
source: RIPE # Filtered
My conclusion, u were hacked either by the RIAA, MIAA, or someone in media company affiliated with these companies as these IPs point to what many p2p users see pointing to the end result the RIAA, MIAA, etc..
It could of been also the MIL, GOV. Helping out the RIAA and MIAA. My suggestion get the ips of thes orginazations and block them from ever connecting to this website with ipblocker or some other p2p blocking program and have them updated once per week (they ged upset if u do it more
)...
Again i wouldn't be suprised if u received a court order to take down this site in the near frute to to copyright issues or them claiming it.