Please note that between the 29th March and the 1st April 06, the computer controling this domain was attacked, and this domain as well as the domain 'bondle.co.uk' was compromised as potentially were the services associated with the domains.
Emails originating from the computer were potentially viewed, and any incoming emails may not have been seen by the person for whom they were intended.
All of the Runetree emails bar one are trashed due to spam. If any one has recently sent emails to any @runetree.co.uk address, please be aware that you were not dealing with the person you thought, since no runetree emails have been acted upon in this period.
I would appreciate copies of any message proporting to originate from this domain between the days stipulated above, if any have been received, or any peculiar emails proporting to originate from bondle. Especially if any of these appear to have been spam.
Evidence Found
VNC - Server : Running from boot, this had not been enabled by genuine root
XDCMP : Had been enabled, again, not by the genuine root
CHKRootKit : Nothing Found
Incoming Router/WAN : Log Cleared : possibly a VNC connection over Wireless, but more likely that there have just been no connections
Boot Log : Reset 20:00 on 1st, apparently by root
Mail Log : seems correct
System Log : appears correct
ClamAV : Nothing found
Firestarter Log: details in /var/messages.1 : Below
No Messages in /var/messages after 28th
VNC Server boot script installed 28th March 06
Possibly all data has been viewed since then
Tripwire
Shell script which attempts to operate scripts in hidden directory on data only drive directory '/media/20gig/.sc' If scripts failed to run, 'xorg.conf' was deleted to crash the X server on reboot.Relevant Firewall Log Details for the Days prior to the attack (MAC address of own ethernet card and own IP address removed for security):
Mar
27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161
DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=48796 PROTO=ICMP
TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.57.93 LEN=64 TOS=0x00
PREC=0x00 TTL=1 ID=40148 PROTO=UDP SPT=32770 DPT=33436 LEN=44 ]
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=48797 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.201.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=56152 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=48798 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.245.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=33374 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=11005 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.117.235 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=9860 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 27 06:26:23 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54491
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.201.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=56154 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
Mar 27 06:26:23 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54492
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.245.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=33376 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1532
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.1.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=48176 PROTO=UDP SPT=32770 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1533
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.109.217 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45185 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1534
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.31.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38085 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=40502 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.81.41 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=23859 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 27 18:14:48 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=49736
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.31.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38087 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 27 18:14:48 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=49737
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.109.217 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45187 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32855 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.151.239 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=49777 PROTO=UDP SPT=32769 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32856 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.107.223 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=4968 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32857 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.73 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46927 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=9043 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.95.95 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=35493 PROTO=UDP SPT=32770 DPT=33437 LEN=44 ]
Mar 28 07:33:27 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=37720
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.73 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46929 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 28 07:33:27 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=37721
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.107.223 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=4970 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.207.105 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=26810 PROTO=UDP SPT=32770 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=8315
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.17.111 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45967 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=8316
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.65.59 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=39675 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=15142 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.93.147 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=11882 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 28 13:33:30 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54800
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.93.147 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=11883 PROTO=UDP SPT=32769 DPT=33438 LEN=44 ]
Mar 28 13:33:30 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54801
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.65.59 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=39677 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.67.195 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=41136 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=60701 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.233.27 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46118 PROTO=UDP SPT=32769 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=60702 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.61.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=24402 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=64934 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.57.187 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=42229 PROTO=UDP SPT=32770 DPT=33437 LEN=44 ]
Mar 29 06:56:08 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=242 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.233.27 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46120 PROTO=UDP SPT=32769 DPT=33438 LEN=44 ]
Mar 29 06:56:08 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=244 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.61.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=24404 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=39222 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.85 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=13972 PROTO=UDP SPT=32792 DPT=33436 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=39223 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.127.75 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=25457 PROTO=UDP SPT=32793 DPT=33436 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=11800
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.143.23 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38400 PROTO=UDP SPT=32791 DPT=33438 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=18922 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.37.5 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=26024 PROTO=UDP SPT=32794 DPT=33437 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=11293 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.191.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=36730 PROTO=UDP SPT=32801 DPT=33436 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.47.71.250 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0x00 TTL=126 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.63.149 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=333 PROTO=UDP SPT=32803 DPT=33435 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=11294 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.61 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=57000 PROTO=UDP SPT=32802 DPT=33436 LEN=44 ]
Mar 29 16:56:58 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=000.000.0.000 LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=3881 PROTO=ICMP TYPE=11 CODE=0 [SRC=000.000.0.000 DST=130.244.63.149 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=335 PROTO=UDP SPT=32803 DPT=33437 LEN=44 ]
130.244.37.5
130.244.57.93
130.244.61.11
130.244.63.149
130.244.93.147
202.139.109.217
202.139.127.75
202.139.191.25
202.139.207.105
202.139.245.11
202.139.67.195
202.232.17.111
202.232.201.15
202.232.233.27
202.232.81.41
202.232.83.61
202.232.83.73
202.232.83.85
204.152.107.223
204.152.117.235
204.152.143.23
204.152.31.25
204.152.57.187
204.152.65.59
213.123.80.161
217.41.171.66
217.41.171.9
217.47.71.250
digging for 130.244.1.15
; <<>> DiG 9.3.1 <<>> -x 130.244.1.15
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26271
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;15.1.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.37.5
; <<>> DiG 9.3.1 <<>> -x 130.244.37.5
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27640
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;5.37.244.130.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.37.244.130.in-addr.arpa. 85577 IN PTR cty29.serial2-0s1-1-4-3c0.swip.net.
-----------------------------------------------
digging for 130.244.57.93
; <<>> DiG 9.3.1 <<>> -x 130.244.57.93
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57106
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;93.57.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.61.11
; <<>> DiG 9.3.1 <<>> -x 130.244.61.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8357
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;11.61.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.63.149
; <<>> DiG 9.3.1 <<>> -x 130.244.63.149
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32968
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;149.63.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.93.147
; <<>> DiG 9.3.1 <<>> -x 130.244.93.147
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51023
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;147.93.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 202.139.109.217
; <<>> DiG 9.3.1 <<>> -x 202.139.109.217
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35143
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;217.109.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
109.139.202.in-addr.arpa. 7200 IN SOA ns0.news.com.au. hostmaster.news.com.au. 2002070905 7200 1800 1209600 7200
-----------------------------------------------
digging for 202.139.127.75
; <<>> DiG 9.3.1 <<>> -x 202.139.127.75
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52500
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;75.127.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
127.139.202.in-addr.arpa. 3600 IN SOA ns1.optus.net.au. hostmaster.optus.net.au. 2002022504 7200 1800 3600000 3600
-----------------------------------------------
digging for 202.139.191.25
; <<>> DiG 9.3.1 <<>> -x 202.139.191.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18222
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;25.191.139.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
25.191.139.202.in-addr.arpa. 2777 IN PTR fa1-0.nr1.optus.net.au.
-----------------------------------------------
digging for 202.139.207.105
; <<>> DiG 9.3.1 <<>> -x 202.139.207.105
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56095
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;105.207.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
202.in-addr.arpa. 10800 IN SOA ns1.apnic.net. read-TXT-record-of-zone-first-dns-admin.apnic.net. 2006040163 7200 1800 604800 172800
-----------------------------------------------
digging for 202.139.245.11
; <<>> DiG 9.3.1 <<>> -x 202.139.245.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;11.245.139.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.245.139.202.in-addr.arpa. 978 IN PTR www.kina.com.pg.
-----------------------------------------------
digging for 202.139.67.195
; <<>> DiG 9.3.1 <<>> -x 202.139.67.195
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19675
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;195.67.139.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.17.111
; <<>> DiG 9.3.1 <<>> -x 202.232.17.111
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57245
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;111.17.232.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.17.232.202.in-addr.arpa. 85578 IN PTR ppp91111.po.iijnet.or.jp.
-----------------------------------------------
digging for 202.232.201.15
; <<>> DiG 9.3.1 <<>> -x 202.232.201.15
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29264
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;15.201.232.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
232.202.in-addr.arpa. 10800 IN SOA a.dns.jp. root.dns.jp. 2006040301 3600 900 604800 86400
-----------------------------------------------
digging for 202.232.233.27
; <<>> DiG 9.3.1 <<>> -x 202.232.233.27
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41178
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;27.233.232.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
27.233.232.202.in-addr.arpa. 28800 IN CNAME 27.000a.233.232.202.in-addr.arpa.
;; AUTHORITY SECTION:
000a.233.232.202.in-addr.arpa. 900 IN SOA dns-b.iij.ad.jp. dns-managers.iij.ad.jp. 4 3600 1800 3600000 900
-----------------------------------------------
digging for 202.232.81.41
; <<>> DiG 9.3.1 <<>> -x 202.232.81.41
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11148
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;41.81.232.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
81.232.202.in-addr.arpa. 10800 IN SOA lss001.lss-co.net. isaka_yoshihiro.lss-co.net. 506011659 3600 1800 3600000 28800
-----------------------------------------------
digging for 202.232.83.61
; <<>> DiG 9.3.1 <<>> -x 202.232.83.61
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48287
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;61.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.83.73
; <<>> DiG 9.3.1 <<>> -x 202.232.83.73
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36508
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;73.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.83.85
; <<>> DiG 9.3.1 <<>> -x 202.232.83.85
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;85.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 204.152.107.223
; <<>> DiG 9.3.1 <<>> -x 204.152.107.223
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44096
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;223.107.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.117.235
; <<>> DiG 9.3.1 <<>> -x 204.152.117.235
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34544
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;235.117.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.143.23
; <<>> DiG 9.3.1 <<>> -x 204.152.143.23
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38242
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;23.143.152.204.in-addr.arpa. IN PTR
;; ANSWER SECTION:
23.143.152.204.in-addr.arpa. 86400 IN PTR 23.143.152.204.in-addr.arpa.
-----------------------------------------------
digging for 204.152.31.25
; <<>> DiG 9.3.1 <<>> -x 204.152.31.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34668
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;25.31.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.57.187
; <<>> DiG 9.3.1 <<>> -x 204.152.57.187
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39154
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;187.57.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.65.59
; <<>> DiG 9.3.1 <<>> -x 204.152.65.59
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;59.65.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 213.123.80.161
; <<>> DiG 9.3.1 <<>> -x 213.123.80.161
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;161.80.123.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
80.123.213.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121034 28800 7200 604800 86400
-----------------------------------------------
digging for 217.41.171.66
; <<>> DiG 9.3.1 <<>> -x 217.41.171.66
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62017
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;66.171.41.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
171.41.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121015 28800 7200 604800 86400
-----------------------------------------------
digging for 217.41.171.9
; <<>> DiG 9.3.1 <<>> -x 217.41.171.9
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19312
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;9.171.41.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
171.41.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121015 28800 7200 604800 86400
-----------------------------------------------
digging for 217.47.71.250
; <<>> DiG 9.3.1 <<>> -x 217.47.71.250
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45870
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;250.71.47.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
71.47.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121021 28800 7200 604800 86400
-----------------------------------------------
This is a log of email pickups from the server's pop-box
Date / Time Type Result Password IP number #
2006-04-02 06:28:35 POP3 OK 00.000.000.00 7
2006-04-02 06:23:43 POP3 OK 00.000.000.00 1
2006-04-02 06:18:44 POP3 OK 00.000.000.00 9
2006-04-02 06:13:42 POP3 OK 00.000.000.00 5
2006-04-02 06:08:44 POP3 OK 00.000.000.00 2
2006-04-02 06:03:45 POP3 OK 00.000.000.00 4
2006-04-02 06:02:49 POP3 OK 00.000.000.00 5
2006-04-02 05:58:43 POP3 OK 00.000.000.00 8
2006-04-02 05:53:44 POP3 OK 00.000.000.00 4
2006-04-02 05:48:42 POP3 OK 00.000.000.00 3
2006-04-02 05:43:35 POP3 OK 00.000.000.00 7
2006-04-02 05:43:22 POP3 OK 00.000.000.00 1
2006-04-02 05:43:06 - OK webmail 1
2006-04-02 05:43:05 - OK webmail 1
2006-04-02 05:42:56 - OK webmail 1
2006-04-02 05:42:56 - OK webmail 1
2006-04-02 05:42:55 - OK webmail 1
2006-04-02 05:42:55 - OK webmail 1
2006-04-02 05:38:44 POP3 OK 00.000.000.00 9
2006-04-02 05:33:43 POP3 OK 00.000.000.00 1
2006-04-02 05:28:44 POP3 OK 00.000.000.00 4
2006-04-02 05:23:42 POP3 OK 00.000.000.00 8
2006-04-02 04:53:50 POP3 OK 00.000.000.00 2
2006-04-02 04:49:39 POP3 OK 00.000.000.00 4
2006-04-02 03:59:06 POP3 OK 00.000.000.00 3
2006-04-02 03:57:41 POP3 OK 00.000.000.00 6
2006-04-02 03:56:42 POP3 OK 00.000.000.00 6
2006-04-02 03:56:17 POP3 OK 00.000.000.00 5
2006-04-01 22:54:18 POP3 OK 00.000.000.00 6
2006-04-01 22:14:50 POP3 OK 00.000.000.00 9
2006-04-01 22:14:34 POP3 OK 00.000.000.00 4
2006-04-01 22:09:50 POP3 OK 00.000.000.00 1
2006-04-01 22:04:50 POP3 OK 00.000.000.00 9
2006-04-01 21:59:50 POP3 OK 00.000.000.00 9
2006-04-01 21:58:41 POP3 OK 00.000.000.00 6
2006-04-01 21:54:49 POP3 OK 00.000.000.00 3
2006-04-01 21:49:50 POP3 OK 00.000.000.00 2
2006-04-01 21:44:44 POP3 OK 00.000.000.00 7
2006-04-01 21:39:51 POP3 OK 00.000.000.00 4
2006-04-01 21:34:49 POP3 OK 00.000.000.00 5
2006-04-01 21:29:50 POP3 OK 00.000.000.00 6
2006-04-01 21:24:49 POP3 OK 00.000.000.00 5
2006-04-01 21:19:44 POP3 OK 00.000.000.00 7
2006-04-01 21:14:50 POP3 OK 00.000.000.00 2
2006-04-01 21:09:50 POP3 OK 00.000.000.00 2
2006-04-01 21:04:49 POP3 OK 00.000.000.00 8
2006-04-01 20:59:50 POP3 OK 00.000.000.00 2
2006-04-01 20:54:50 POP3 OK 00.000.000.00 6
2006-04-01 20:49:50 POP3 OK 00.000.000.00 2
2006-04-01 20:44:50 POP3 OK 00.000.000.00 2
2006-04-01 20:39:50 POP3 OK 00.000.000.00 2
2006-04-01 20:34:49 POP3 OK 00.000.000.00 3
2006-04-01 20:29:50 POP3 OK 00.000.000.00 4
2006-04-01 20:26:34 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:24:44 POP3 OK 00.000.000.00 7
2006-04-01 20:19:44 POP3 OK 00.000.000.00 7
2006-04-01 20:14:49 POP3 OK 00.000.000.00 9
2006-04-01 20:09:49 POP3 OK 00.000.000.00 1
2006-04-01 20:04:49 POP3 OK 00.000.00.000 2
2006-04-01 19:59:49 POP3 OK 00.000.00.000 1
2006-04-01 19:54:49 POP3 OK 00.000.00.000 8
2006-04-01 19:52:30 POP3 OK 00.000.00.000 9
2006-04-01 19:52:29 POP3 OK 00.000.00.000 3
2006-04-01 19:52:28 POP3 OK 00.000.00.000 9
2006-04-01 19:49:48 POP3 OK 00.000.00.000 3
2006-04-01 19:48:52 POP3 OK 00.000.00.000 2
2006-04-01 19:48:51 POP3 OK 00.000.00.000 6
2006-04-01 19:48:49 POP3 OK 00.000.00.000 2
2006-04-01 19:48:49 POP3 OK 00.000.00.000 3
2006-04-01 19:48:48 POP3 OK 00.000.00.000 9
2006-04-01 19:48:47 POP3 OK 00.000.00.000 4
2006-04-01 19:48:45 POP3 OK 00.000.00.000 5
2006-04-01 19:48:39 POP3 OK 00.000.00.000 4
2006-04-01 19:44:48 POP3 OK 00.000.00.000 5
2006-04-01 19:39:48 POP3 OK 00.000.00.000 5
2006-04-01 19:38:29 POP3 OK 00.000.00.000 2
2006-04-01 19:34:48 POP3 OK 00.000.00.000 8
2006-04-01 19:29:50 POP3 OK 00.000.00.000 4
2006-04-01 19:24:48 POP3 OK 00.000.00.000 5
2006-04-01 19:21:04 POP3 OK 00.000.00.000 6
2006-04-01 19:21:00 POP3 OK 00.000.00.000 2
2006-04-01 19:20:53 POP3 OK 00.000.00.000 5
2006-04-01 19:20:48 POP3 OK 00.000.00.000 6
2006-04-01 19:19:49 POP3 OK 00.000.00.000 9
2006-04-01 19:15:16 POP3 OK 00.000.00.000 7
2006-04-01 19:14:48 POP3 OK 00.000.00.000 3
2006-04-01 19:10:50 POP3 OK 00.000.00.000 5
2006-04-01 19:10:01 POP3 OK 00.000.00.000 9
2006-04-01 19:09:49 POP3 OK 00.000.00.000 1
2006-04-01 19:04:49 POP3 OK 00.000.00.000 6
2006-04-01 18:59:45 POP3 OK 00.000.00.000 7
2006-04-01 18:58:54 POP3 OK 00.000.00.000 7
2006-04-01 18:54:47 POP3 OK 00.000.00.000 7
2006-04-01 18:54:33 POP3 OK 00.000.00.000 4
2006-04-01 18:54:27 POP3 OK 00.000.00.000 4
2006-04-01 18:49:49 POP3 OK 00.000.00.000 3
2006-04-01 18:44:48 POP3 OK 00.000.00.000 3
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=48797 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.201.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=56152 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=48798 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.245.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=33374 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 27 06:26:21 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=11005 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.117.235 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=9860 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 27 06:26:23 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54491
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.201.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=56154 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
Mar 27 06:26:23 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54492
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.245.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=33376 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1532
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.1.15 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=48176 PROTO=UDP SPT=32770 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1533
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.109.217 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45185 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=1534
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.31.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38085 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 27 18:14:46 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=40502 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.81.41 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=23859 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 27 18:14:48 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=49736
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.31.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38087 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 27 18:14:48 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=49737
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.109.217 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45187 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32855 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.151.239 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=49777 PROTO=UDP SPT=32769 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32856 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.107.223 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=4968 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=32857 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.73 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46927 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 28 07:33:25 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=9043 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.95.95 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=35493 PROTO=UDP SPT=32770 DPT=33437 LEN=44 ]
Mar 28 07:33:27 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=37720
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.73 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46929 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 28 07:33:27 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=37721
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.107.223 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=4970 PROTO=UDP SPT=32771 DPT=33438 LEN=44 ]
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.207.105 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=26810 PROTO=UDP SPT=32770 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=8315
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.17.111 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=45967 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=8316
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.65.59 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=39675 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 28 13:33:28 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=15142 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.93.147 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=11882 PROTO=UDP SPT=32769 DPT=33437 LEN=44 ]
Mar 28 13:33:30 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54800
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.93.147 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=11883 PROTO=UDP SPT=32769 DPT=33438 LEN=44 ]
Mar 28 13:33:30 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=54801
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.65.59 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=39677 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.67.195 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=41136 PROTO=UDP SPT=32771 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=60701 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.233.27 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46118 PROTO=UDP SPT=32769 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=60702 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.61.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=24402 PROTO=UDP SPT=32772 DPT=33436 LEN=44 ]
Mar 29 06:56:06 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=64934 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.57.187 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=42229 PROTO=UDP SPT=32770 DPT=33437 LEN=44 ]
Mar 29 06:56:08 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=242 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.233.27 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=46120 PROTO=UDP SPT=32769 DPT=33438 LEN=44 ]
Mar 29 06:56:08 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=244 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.61.11 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=24404 PROTO=UDP SPT=32772 DPT=33438 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=39222 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.85 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=13972 PROTO=UDP SPT=32792 DPT=33436 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=39223 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.127.75 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=25457 PROTO=UDP SPT=32793 DPT=33436 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.66 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=11800
PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=204.152.143.23 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=38400 PROTO=UDP SPT=32791 DPT=33438 LEN=44 ]
Mar 29 11:56:31 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=18922 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.37.5 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=26024 PROTO=UDP SPT=32794 DPT=33437 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=11293 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.139.191.25 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=36730 PROTO=UDP SPT=32801 DPT=33436 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.47.71.250 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0x00 TTL=126 ID=0 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=130.244.63.149 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=333 PROTO=UDP SPT=32803 DPT=33435 LEN=44 ]
Mar 29 16:56:56 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=213.123.80.161 DST=XXX.XXX.X.XXX LEN=56 TOS=0x00 PREC=0xC0 TTL=253 ID=11294 PROTO=ICMP TYPE=11 CODE=0 [SRC=XXX.XXX.X.XXX DST=202.232.83.61 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=57000 PROTO=UDP SPT=32802 DPT=33436 LEN=44 ]
Mar 29 16:56:58 Workstation kernel: Inbound IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=217.41.171.9 DST=000.000.0.000 LEN=56 TOS=0x00 PREC=0xC0 TTL=252 ID=3881 PROTO=ICMP TYPE=11 CODE=0 [SRC=000.000.0.000 DST=130.244.63.149 LEN=64 TOS=0x00 PREC=0x00 TTL=1 ID=335 PROTO=UDP SPT=32803 DPT=33437 LEN=44 ]
Sorted and sifted, these are the IP addresses:
130.244.1.15130.244.37.5
130.244.57.93
130.244.61.11
130.244.63.149
130.244.93.147
202.139.109.217
202.139.127.75
202.139.191.25
202.139.207.105
202.139.245.11
202.139.67.195
202.232.17.111
202.232.201.15
202.232.233.27
202.232.81.41
202.232.83.61
202.232.83.73
202.232.83.85
204.152.107.223
204.152.117.235
204.152.143.23
204.152.31.25
204.152.57.187
204.152.65.59
213.123.80.161
217.41.171.66
217.41.171.9
217.47.71.250
Using dig, the domain/owner results for each IP address is:
-----------------------------------------------digging for 130.244.1.15
; <<>> DiG 9.3.1 <<>> -x 130.244.1.15
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26271
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;15.1.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.37.5
; <<>> DiG 9.3.1 <<>> -x 130.244.37.5
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27640
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;5.37.244.130.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.37.244.130.in-addr.arpa. 85577 IN PTR cty29.serial2-0s1-1-4-3c0.swip.net.
-----------------------------------------------
digging for 130.244.57.93
; <<>> DiG 9.3.1 <<>> -x 130.244.57.93
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57106
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;93.57.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.61.11
; <<>> DiG 9.3.1 <<>> -x 130.244.61.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8357
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;11.61.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.63.149
; <<>> DiG 9.3.1 <<>> -x 130.244.63.149
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32968
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;149.63.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 130.244.93.147
; <<>> DiG 9.3.1 <<>> -x 130.244.93.147
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51023
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;147.93.244.130.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
244.130.in-addr.arpa. 10800 IN SOA kista.dns.swip.net. hostmaster.swip.net. 2006032901 28800 7200 604800 86400
-----------------------------------------------
digging for 202.139.109.217
; <<>> DiG 9.3.1 <<>> -x 202.139.109.217
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35143
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;217.109.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
109.139.202.in-addr.arpa. 7200 IN SOA ns0.news.com.au. hostmaster.news.com.au. 2002070905 7200 1800 1209600 7200
-----------------------------------------------
digging for 202.139.127.75
; <<>> DiG 9.3.1 <<>> -x 202.139.127.75
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52500
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;75.127.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
127.139.202.in-addr.arpa. 3600 IN SOA ns1.optus.net.au. hostmaster.optus.net.au. 2002022504 7200 1800 3600000 3600
-----------------------------------------------
digging for 202.139.191.25
; <<>> DiG 9.3.1 <<>> -x 202.139.191.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18222
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;25.191.139.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
25.191.139.202.in-addr.arpa. 2777 IN PTR fa1-0.nr1.optus.net.au.
-----------------------------------------------
digging for 202.139.207.105
; <<>> DiG 9.3.1 <<>> -x 202.139.207.105
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56095
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;105.207.139.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
202.in-addr.arpa. 10800 IN SOA ns1.apnic.net. read-TXT-record-of-zone-first-dns-admin.apnic.net. 2006040163 7200 1800 604800 172800
-----------------------------------------------
digging for 202.139.245.11
; <<>> DiG 9.3.1 <<>> -x 202.139.245.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56111
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;11.245.139.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.245.139.202.in-addr.arpa. 978 IN PTR www.kina.com.pg.
-----------------------------------------------
digging for 202.139.67.195
; <<>> DiG 9.3.1 <<>> -x 202.139.67.195
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19675
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;195.67.139.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.17.111
; <<>> DiG 9.3.1 <<>> -x 202.232.17.111
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57245
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;111.17.232.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.17.232.202.in-addr.arpa. 85578 IN PTR ppp91111.po.iijnet.or.jp.
-----------------------------------------------
digging for 202.232.201.15
; <<>> DiG 9.3.1 <<>> -x 202.232.201.15
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 29264
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;15.201.232.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
232.202.in-addr.arpa. 10800 IN SOA a.dns.jp. root.dns.jp. 2006040301 3600 900 604800 86400
-----------------------------------------------
digging for 202.232.233.27
; <<>> DiG 9.3.1 <<>> -x 202.232.233.27
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41178
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;27.233.232.202.in-addr.arpa. IN PTR
;; ANSWER SECTION:
27.233.232.202.in-addr.arpa. 28800 IN CNAME 27.000a.233.232.202.in-addr.arpa.
;; AUTHORITY SECTION:
000a.233.232.202.in-addr.arpa. 900 IN SOA dns-b.iij.ad.jp. dns-managers.iij.ad.jp. 4 3600 1800 3600000 900
-----------------------------------------------
digging for 202.232.81.41
; <<>> DiG 9.3.1 <<>> -x 202.232.81.41
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11148
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;41.81.232.202.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
81.232.202.in-addr.arpa. 10800 IN SOA lss001.lss-co.net. isaka_yoshihiro.lss-co.net. 506011659 3600 1800 3600000 28800
-----------------------------------------------
digging for 202.232.83.61
; <<>> DiG 9.3.1 <<>> -x 202.232.83.61
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48287
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;61.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.83.73
; <<>> DiG 9.3.1 <<>> -x 202.232.83.73
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36508
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;73.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 202.232.83.85
; <<>> DiG 9.3.1 <<>> -x 202.232.83.85
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;85.83.232.202.in-addr.arpa. IN PTR
-----------------------------------------------
digging for 204.152.107.223
; <<>> DiG 9.3.1 <<>> -x 204.152.107.223
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44096
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;223.107.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.117.235
; <<>> DiG 9.3.1 <<>> -x 204.152.117.235
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34544
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;235.117.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.143.23
; <<>> DiG 9.3.1 <<>> -x 204.152.143.23
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38242
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;23.143.152.204.in-addr.arpa. IN PTR
;; ANSWER SECTION:
23.143.152.204.in-addr.arpa. 86400 IN PTR 23.143.152.204.in-addr.arpa.
-----------------------------------------------
digging for 204.152.31.25
; <<>> DiG 9.3.1 <<>> -x 204.152.31.25
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34668
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;25.31.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.57.187
; <<>> DiG 9.3.1 <<>> -x 204.152.57.187
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39154
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;187.57.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 204.152.65.59
; <<>> DiG 9.3.1 <<>> -x 204.152.65.59
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39876
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;59.65.152.204.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
204.in-addr.arpa. 10800 IN SOA chia.arin.net. bind.arin.net. 2006040210 1800 900 691200 10800
-----------------------------------------------
digging for 213.123.80.161
; <<>> DiG 9.3.1 <<>> -x 213.123.80.161
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36309
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;161.80.123.213.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
80.123.213.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121034 28800 7200 604800 86400
-----------------------------------------------
digging for 217.41.171.66
; <<>> DiG 9.3.1 <<>> -x 217.41.171.66
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62017
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;66.171.41.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
171.41.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121015 28800 7200 604800 86400
-----------------------------------------------
digging for 217.41.171.9
; <<>> DiG 9.3.1 <<>> -x 217.41.171.9
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19312
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;9.171.41.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
171.41.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121015 28800 7200 604800 86400
-----------------------------------------------
digging for 217.47.71.250
; <<>> DiG 9.3.1 <<>> -x 217.47.71.250
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45870
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;250.71.47.217.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
71.47.217.in-addr.arpa. 10800 IN SOA ns0.bt.net. hostmaster.bt.net. 1999121021 28800 7200 604800 86400
-----------------------------------------------
The whole of the 30th, 31st and 1st were deleted by the attacker, so the above ip addresses may not be relevant,
they are however, addresses from which attempts have been made to penetrate the computer.
they are however, addresses from which attempts have been made to penetrate the computer.
This is a log of email pickups from the server's pop-box
Date / Time Type Result Password IP number #
2006-04-02 06:28:35 POP3 OK 00.000.000.00 7
2006-04-02 06:23:43 POP3 OK 00.000.000.00 1
2006-04-02 06:18:44 POP3 OK 00.000.000.00 9
2006-04-02 06:13:42 POP3 OK 00.000.000.00 5
2006-04-02 06:08:44 POP3 OK 00.000.000.00 2
2006-04-02 06:03:45 POP3 OK 00.000.000.00 4
2006-04-02 06:02:49 POP3 OK 00.000.000.00 5
2006-04-02 05:58:43 POP3 OK 00.000.000.00 8
2006-04-02 05:53:44 POP3 OK 00.000.000.00 4
2006-04-02 05:48:42 POP3 OK 00.000.000.00 3
2006-04-02 05:43:35 POP3 OK 00.000.000.00 7
2006-04-02 05:43:22 POP3 OK 00.000.000.00 1
2006-04-02 05:43:06 - OK webmail 1
2006-04-02 05:43:05 - OK webmail 1
2006-04-02 05:42:56 - OK webmail 1
2006-04-02 05:42:56 - OK webmail 1
2006-04-02 05:42:55 - OK webmail 1
2006-04-02 05:42:55 - OK webmail 1
2006-04-02 05:38:44 POP3 OK 00.000.000.00 9
2006-04-02 05:33:43 POP3 OK 00.000.000.00 1
2006-04-02 05:28:44 POP3 OK 00.000.000.00 4
2006-04-02 05:23:42 POP3 OK 00.000.000.00 8
2006-04-02 04:53:50 POP3 OK 00.000.000.00 2
2006-04-02 04:49:39 POP3 OK 00.000.000.00 4
2006-04-02 03:59:06 POP3 OK 00.000.000.00 3
2006-04-02 03:57:41 POP3 OK 00.000.000.00 6
2006-04-02 03:56:42 POP3 OK 00.000.000.00 6
2006-04-02 03:56:17 POP3 OK 00.000.000.00 5
2006-04-01 22:54:18 POP3 OK 00.000.000.00 6
2006-04-01 22:14:50 POP3 OK 00.000.000.00 9
2006-04-01 22:14:34 POP3 OK 00.000.000.00 4
2006-04-01 22:09:50 POP3 OK 00.000.000.00 1
2006-04-01 22:04:50 POP3 OK 00.000.000.00 9
2006-04-01 21:59:50 POP3 OK 00.000.000.00 9
2006-04-01 21:58:41 POP3 OK 00.000.000.00 6
2006-04-01 21:54:49 POP3 OK 00.000.000.00 3
2006-04-01 21:49:50 POP3 OK 00.000.000.00 2
2006-04-01 21:44:44 POP3 OK 00.000.000.00 7
2006-04-01 21:39:51 POP3 OK 00.000.000.00 4
2006-04-01 21:34:49 POP3 OK 00.000.000.00 5
2006-04-01 21:29:50 POP3 OK 00.000.000.00 6
2006-04-01 21:24:49 POP3 OK 00.000.000.00 5
2006-04-01 21:19:44 POP3 OK 00.000.000.00 7
2006-04-01 21:14:50 POP3 OK 00.000.000.00 2
2006-04-01 21:09:50 POP3 OK 00.000.000.00 2
2006-04-01 21:04:49 POP3 OK 00.000.000.00 8
2006-04-01 20:59:50 POP3 OK 00.000.000.00 2
2006-04-01 20:54:50 POP3 OK 00.000.000.00 6
2006-04-01 20:49:50 POP3 OK 00.000.000.00 2
2006-04-01 20:44:50 POP3 OK 00.000.000.00 2
2006-04-01 20:39:50 POP3 OK 00.000.000.00 2
2006-04-01 20:34:49 POP3 OK 00.000.000.00 3
2006-04-01 20:29:50 POP3 OK 00.000.000.00 4
2006-04-01 20:26:34 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:26:33 - OK webmail 5
2006-04-01 20:24:44 POP3 OK 00.000.000.00 7
2006-04-01 20:19:44 POP3 OK 00.000.000.00 7
2006-04-01 20:14:49 POP3 OK 00.000.000.00 9
2006-04-01 20:09:49 POP3 OK 00.000.000.00 1
2006-04-01 20:04:49 POP3 OK 00.000.00.000 2
2006-04-01 19:59:49 POP3 OK 00.000.00.000 1
2006-04-01 19:54:49 POP3 OK 00.000.00.000 8
2006-04-01 19:52:30 POP3 OK 00.000.00.000 9
2006-04-01 19:52:29 POP3 OK 00.000.00.000 3
2006-04-01 19:52:28 POP3 OK 00.000.00.000 9
2006-04-01 19:49:48 POP3 OK 00.000.00.000 3
2006-04-01 19:48:52 POP3 OK 00.000.00.000 2
2006-04-01 19:48:51 POP3 OK 00.000.00.000 6
2006-04-01 19:48:49 POP3 OK 00.000.00.000 2
2006-04-01 19:48:49 POP3 OK 00.000.00.000 3
2006-04-01 19:48:48 POP3 OK 00.000.00.000 9
2006-04-01 19:48:47 POP3 OK 00.000.00.000 4
2006-04-01 19:48:45 POP3 OK 00.000.00.000 5
2006-04-01 19:48:39 POP3 OK 00.000.00.000 4
2006-04-01 19:44:48 POP3 OK 00.000.00.000 5
2006-04-01 19:39:48 POP3 OK 00.000.00.000 5
2006-04-01 19:38:29 POP3 OK 00.000.00.000 2
2006-04-01 19:34:48 POP3 OK 00.000.00.000 8
2006-04-01 19:29:50 POP3 OK 00.000.00.000 4
2006-04-01 19:24:48 POP3 OK 00.000.00.000 5
2006-04-01 19:21:04 POP3 OK 00.000.00.000 6
2006-04-01 19:21:00 POP3 OK 00.000.00.000 2
2006-04-01 19:20:53 POP3 OK 00.000.00.000 5
2006-04-01 19:20:48 POP3 OK 00.000.00.000 6
2006-04-01 19:19:49 POP3 OK 00.000.00.000 9
2006-04-01 19:15:16 POP3 OK 00.000.00.000 7
2006-04-01 19:14:48 POP3 OK 00.000.00.000 3
2006-04-01 19:10:50 POP3 OK 00.000.00.000 5
2006-04-01 19:10:01 POP3 OK 00.000.00.000 9
2006-04-01 19:09:49 POP3 OK 00.000.00.000 1
2006-04-01 19:04:49 POP3 OK 00.000.00.000 6
2006-04-01 18:59:45 POP3 OK 00.000.00.000 7
2006-04-01 18:58:54 POP3 OK 00.000.00.000 7
2006-04-01 18:54:47 POP3 OK 00.000.00.000 7
2006-04-01 18:54:33 POP3 OK 00.000.00.000 4
2006-04-01 18:54:27 POP3 OK 00.000.00.000 4
2006-04-01 18:49:49 POP3 OK 00.000.00.000 3
2006-04-01 18:44:48 POP3 OK 00.000.00.000 3
There were two periods when web mail was used to pick up at periods other than when webmail was known to have been used.
Supposition at the present time is that the PC was being prepared for a denial of service attack or as a spam gateway, the higher probability being the former. It is possible that the slowing down of the system witnessed on the 1st was the instigation of such an attack. Attempt to shut the system down resulted in lockout which was only recoverable through the Power Button's 'hardware halt signal'. The attack may however have been undertaken for other purposes as yet undefined.
All files deleted were removed using shred, and names were added to a shellscript to test for re-appearance after reboot. So far, none have.
Supposition at the present time is that the PC was being prepared for a denial of service attack or as a spam gateway, the higher probability being the former. It is possible that the slowing down of the system witnessed on the 1st was the instigation of such an attack. Attempt to shut the system down resulted in lockout which was only recoverable through the Power Button's 'hardware halt signal'. The attack may however have been undertaken for other purposes as yet undefined.
Rectifications
- VNC Server startup has been removed
- XDMCP Disabled
- Disable NFS File Sharing - again
- Password to domain controls have been changed
- Root and User Passwords changed on computer
- POP box passwords changed
- Potentially dubious email forwarders have been deleted
- Chkrootkit now runs daily
- Full Clam AV scan
- Changed Wireless WEP codes and disabled Wireless connection - just in case
- placed noexec in /etc/fstab for all cascading data drives. : - after X session failed, found shellscript in rc.d5 which deleted xorg.conf if data drives were noexec - removed it, and shellscripts which were stored in office data drive folder: /media/20gig/.sc
- Modify the logs so that they can only be appended, not edited or reset
- Set daily backup of logs
- This Page as an Incident Log
All files deleted were removed using shred, and names were added to a shellscript to test for re-appearance after reboot. So far, none have.