ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

News and Reviews > Official Announcements

Thread about the DonationCoder.com server Shutdown on March 2nd, 2008

<< < (4/4)

mouser:
I appreciate your message so much Stoic.

I can definitely see why there is such an incentive for companies to cover up when this happens to them -- it's incredibly embarassing, and the public relations damage could be severe, and put jobs on the line, etc.  You can definitely imagine why a company would just want to brush it under the rug and actively deny it happened if asked.  I suspect this happens a LOT.

But like you say -- the problem is that this just makes the situation for the end users worse.

We have tried from it's inception to just be totally up front about everything that happens on this site.  When the server goes down we try to post why and what we are doing, etc.  There was never really a question that we would post about exactly what happened and what we were doing about it.

I will be posting a much longer thread and gothic will chime in too about general lessons learned and strategies to avoid such things in the future.

nowshining:
hi, um... those IPs are suspicious: (i just got ur eletter a few mins ago):

First of all if ur using linux/etc.. best thing is to disable the timeout in sudo privs. in Ubuntu it's 15m To do so in ur sudoers insert the following (note also logfile for passwords and last time accessed is sent to secure.log which should secure u even more):


--- ---Defaults !lecture,tty_tickets,!fqdn
Defaults:ALL  !syslog
Defaults:ALL logfile=/var/log/secure.log
Defaults:ALL timestamp_timeout=0
Also are u using useragent blocking in ur .httpaccess files? U could also get and put up an ipblocker that are primeraly used by p2p users to block media ips, etc.. This should also keep ur site secure. not to mention keep gov., mil, and even RIAA and MIAA, out of this site, etc..? :)

if i rem. correctly ipblocker is for linux. I just forgot the exact one for windows. Atho I had trouble with it with arno-iptables-firewall.

:) oh well..

Also u should have the latest linux kernel updates. There were an exploit that could easily gain root access and that is fixed.

I have the test code on my website if anyone wants to use it for testing. :) just cd to ur desktop or wherever u saved it, sh exploit.sh or whatever and if u get root then ur affected..

I got it on my site for if others want to test their kernel.

Also many security sites have the test exploit code too..

http://www.botnetgodalphamale.dnsdojo.org:8000

is my shared files site (dir). without the 8000 port is my wiki, which I gotta set-up and fine a use for. :) as it's public..



by the way:


--- ---
24.39.219.73: This seems suspicious because HoldCO I think is from RR internal. RIAA? MIAA? Some employee from RR, I read on forums of blocking RR IPS with HoldCO in them, of course those were p2p forums. One Forum said that it looks to be an internal IP..

OrgName:    Road Runner HoldCo LLC
OrgID:      RCNY
Address:    13241 Woodland Park Road
City:       Herndon
StateProv:  VA
PostalCode: 20171
Country:    US

ReferralServer: rwhois://ipmt.rr.com:4321

NetRange:   24.39.0.0 - 24.39.255.255
CIDR:       24.39.0.0/16
NetName:    RR-COMMERCIAL-NYC-4
NetHandle:  NET-24-39-0-0-1
Parent:     NET-24-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.BIZ.RR.COM
NameServer: NS2.BIZ.RR.COM
NameServer: DNS4.RR.COM
Comment:
RegDate:    2004-02-19
Updated:    2004-06-09

OrgAbuseHandle: ABUSE10-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-703-345-3416
OrgAbuseEmail:  [email protected]

OrgTechHandle: IPTEC-ARIN
OrgTechName:   IP Tech
OrgTechPhone:  +1-703-345-3416
OrgTechEmail:  [email protected]

# ARIN WHOIS database, last updated 2008-03-26 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Found a referral to ipmt.rr.com:4321.

%rwhois V-1.5:003fff:00 ipmt-02.rr.com (by Network Solutions, Inc. V-1.5.7.3)
network:Class-Name:network
network:ID:NETBLK-ISRC-24.39.128.0/17
network:Auth-Area:24.39.216.0/21
network:Network-Name:HAEFELE-TV-INC.-24.39.216.0
network:IP-Network:24.39.216.0/21
network:IP-Network-Block:24.39.216.0 - 24.39.223.255
network:Organization;I:HAEFELE-TV-INC.
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:IPADD-ARIN
network:AbuseEmail:[email protected]
network:Created:20080326
network:Updated:20080326
network:Updated-By:[email protected]

network:Class-Name:network
network:ID:NETBLK-ISRC-24.39.128.0/17
network:Auth-Area:24.39.128.0/17
network:Network-Name:ISRC-24.39.128.0
network:IP-Network:24.39.128.0/17
network:IP-Network-Block:24.39.128.0 - 24.39.255.255
network:Organization;I:Road Runner Commercial
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:IPADD-ARIN
network:Created:20080326
network:Updated:20080326
network:Updated-By:[email protected]

%ok
.............................................
62.13.171.41:suspicous? IT DEPT. ?? H3G?? Seems to be a  hosting Company? http://builtwith.com/?Tre.it = notice the "Who is Hosting This" at the bottom right.

inetnum:      62.13.171.0 - 62.13.171.255
netname:      H3GIT
descr:        H3G IT department
country:      IT
admin-c:      VO175-RIPE
tech-c:       RC497-RIPE
tech-c:       EMF4-RIPE
tech-c:       GB1450-RIPE
status:       ASSIGNED PA
mnt-by:       H3G-CN-MNT
source:       RIPE # Filtered

person:       Vittorio Orsini
address:      H3G Italia S.p.A.
address:      Via Cristoforo Colombo, 416 - 420
address:      I 00145 Roma RM
address:      Italy
phone:        +39 06 59551
fax-no:       +39 06 54602123
e-mail:       [email protected]
nic-hdl:      VO175-RIPE
source:       RIPE # Filtered

person:       Raffaele Celentano
address:      H3G Italia S.p.A.
address:      Via Cristoforo Colombo 416
address:      I-00145 Roma RM
address:      Italy
phone:        +39 06 59556068
fax-no:       +39 06 54602123
e-mail:       [email protected]
nic-hdl:      RC497-RIPE
source:       RIPE # Filtered

person:       Giuliano Biondi
address:      H3G Italia S.p.A.
address:      Via Cristoforo Colombo, 416 - 420
address:      I 00145 Roma RM
address:      Italy
phone:        +39 06 59551
fax-no:       +39 06 54602123
e-mail:       [email protected]
nic-hdl:      GB1450-RIPE
source:       RIPE # Filtered

person:       Enrico Maria Fondi
address:      H3G Italia S.p.A.
address:      Via Cristoforo Colombo, 416 - 420
address:      I 00145 Roma RM
address:      Italy
phone:        +39 06 59556066
fax-no:       +39 06 54602123
e-mail:       [email protected]
nic-hdl:      EMF4-RIPE
source:       RIPE # Filtered

% Information related to '62.13.160.0/19AS24608'

route:        62.13.160.0/19
descr:        H3G Italy SpA
descr:        UMTS operator and ISP
origin:       AS24608
mnt-by:       H3G-CN-MNT
mnt-routes:   H3G-CN-MNT
source:       RIPE # Filtered

......................................................................
82.201.163.136:suspicious due to "African Internet Numbers Registry".

% This is the RIPE Whois query server #3.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '82.201.128.0 - 82.201.255.255'

inetnum:      82.201.128.0 - 82.201.255.255
org:          ORG-AFNC1-RIPE
netname:      AFRINIC-NET-TRANSFERRED-20050223
descr:        This network has been transferred to AFRINIC
remarks:      These IP addresses are assigned in the AFRINIC region.
remarks:      Authoritative registration information for this network
remarks:      is available for query and modification in
remarks:      the AFRINIC whois database: whois.afrinic.net or
remarks:      web site: http://www.afrinic.net
remarks:      The routing registry information (route(6) objects)
remarks:      may be published in any Routing Registry, including
remarks:      RIPE Whois Database
country:      EU # country is really somewhere in African Region
admin-c:      AFRI-RIPE
tech-c:       AFRI-RIPE
status:       ALLOCATED PA
mnt-by:       RIPE-NCC-HM-MNT
mnt-routes:   RIPE-NCC-RPSL-MNT
source:       RIPE # Filtered

organisation: ORG-AFNC1-RIPE
org-name:     African Internet Numbers Registry
org-type:     RIR
address:      see http://www.afrinic.net
e-mail:       [email protected]
admin-c:      AFRI-RIPE
tech-c:       AFRI-RIPE
remarks:      For more information on AFRINIC assigned blocks, use
remarks:      AFRINIC's whois database, whois.afrinic.net.
mnt-ref:      RIPE-NCC-HM-MNT
mnt-by:       RIPE-NCC-HM-MNT
source:       RIPE # Filtered

role:         The African Internet Numbers Registry
org:          ORG-AFNC1-RIPE
address:      AFRINIC, see http://www.afrinic.net
admin-c:      AFRI-RIPE
tech-c:       AFRI-RIPE
nic-hdl:      AFRI-RIPE
e-mail:       [email protected]
remarks:      For more information on AFRINIC assigned blocks, connect
remarks:      to AFRINIC's whois database, whois.afrinic.net.
mnt-by:       RIPE-NCC-HM-MNT
source:       RIPE # Filtered

% Information related to '82.201.128.0/18AS24863'

route:        82.201.128.0/18
descr:        LINKdotNET Route
origin:       AS24863
mnt-by:       MAINT-LINK
source:       RIPE # Filtered

% Information related to '82.201.128.0/17AS24863'

route:        82.201.128.0/17
descr:        LINKdotNET route
origin:       AS24863
mnt-by:       MAINT-LINK
source:       RIPE # Filtered

% Information related to '82.201.160.0/22AS24863'

route:        82.201.160.0/22
descr:        LINKdotNET route
origin:       AS24863
mnt-by:       MAINT-LINK
source:       RIPE # Filtered

% Information related to '82.201.160.0/21AS24863'

route:        82.201.160.0/21
descr:        LINKdotNET route
origin:       AS24863
mnt-by:       MAINT-LINK
source:       RIPE # Filtered

% Information related to '82.201.162.0/23AS24863'

route:          82.201.162.0/23
descr:          LINKdotNET route
origin:         AS24863
mnt-by:         MAINT-LINK
source:         RIPE # Filtered


My conclusion, u were hacked either by the RIAA, MIAA, or someone in media company affiliated with these companies as these IPs point to what many p2p users see pointing to the end result the RIAA, MIAA, etc..

It could of been also the MIL, GOV. Helping out the RIAA and MIAA. My suggestion get the ips of thes orginazations and block them from ever connecting to this website with ipblocker or some other p2p blocking program and have them updated once per week (they ged upset if u do it more :( )...

Again i wouldn't be suprised if u received a court order to take down this site in the near frute to to copyright issues or them claiming it.

Josh:
I can honestly say that I know for a fact this wasnt a .mil/.gov based attack. For one, the military does not do these types of attacks. There is no reason for them to do so. As a US Military member, I can tell you that most military installations have a hard enough time maintaining the endless problems and issues with their current networks and would not waste their time with an RIAA/MPAA issue. I am sorry, but just because the RIAA/MPAA have used an ip range in the past, doesnt mean they use it everytime. There is no reason for DC to be attacked by either of these organizations. We have no content that they would even care about

But anyways, I browse this site from work so if the site did block .mil, a stupid idea, I would be shut out and I would not like that too much. I am sorry, but this post sounds like paranoia.

f0dder:
Oooooookay, please lay off the crack pipe and conspiracy theories :)

Navigation

[0] Message Index

[*] Previous page

Go to full version