[Coco] CoCo Forums hacker Hunt-Down Begins
Lawrence Weeks
dev at anabasis.net
Wed Dec 6 13:12:04 EST 2006
Once upon a time (Mon Dec 04), DJ wrote:
> http://www.dnsstuff.com is an excellent source of research tools for
> tracking down IP addresses.
Edited results from some queries:
% dig -x 69.56.245.170
170.245.56.69.in-addr.arpa. 86400 IN PTR aa.f5.3845.static.theplanet.com.
% dig a aa.f5.3845.static.theplanet.com.
aa.f5.3845.static.theplanet.com. 86339 IN A 69.56.245.170
% telnet aa.f5.3845.static.theplanet.com smtp
220-server4.hostprestige.com ESMTP Exim 4.52 #1 Wed, 06 Dec 2006 11:41:38 -0600
% dig a server4.hostprestige.com
server4.hostprestige.com. 3514 IN A 69.56.245.170
% whois hostprestige.com
Registration Service Provided By: OmegaSphere
Contact: support at omegasphere.net
Visit: http://www.omegasphere.net/
Domain name: hostprestige.com
Administrative Contact:
Host Prestige (hostprestige at gmail.com)
+1.9493500754
Fax:
27 Dogwood Ln
Aliso Viejo, CA 92656
US
Looks to me like theplanet.com is hosting a server (and not properly
providing rDNS delegation) for Host Prestige, which is another hosting
business. From traceroutes, the box is in the DFW Texas area. Odds
are, that machine was compromised by whoever compromised the coco
site. Connecting to it via HTTP gives a cPanel default installation
page, so that machine is probably chock full of virtual web domains.
Larry
--
Lawrence Weeks lweeks at anabasis.net
Anabasis Consulting Ltd
More information about the Coco
mailing list