[Coco] CoCo Forums hacker Hunt-Down Begins

Lawrence Weeks dev at anabasis.net
Wed Dec 6 13:12:04 EST 2006


Once upon a time (Mon Dec 04), DJ wrote:

> http://www.dnsstuff.com is an excellent source of research tools for
> tracking down IP addresses.

Edited results from some queries:

% dig -x 69.56.245.170
170.245.56.69.in-addr.arpa. 86400 IN    PTR     aa.f5.3845.static.theplanet.com.

% dig a aa.f5.3845.static.theplanet.com.
aa.f5.3845.static.theplanet.com. 86339 IN A	69.56.245.170

% telnet aa.f5.3845.static.theplanet.com smtp
220-server4.hostprestige.com ESMTP Exim 4.52 #1 Wed, 06 Dec 2006 11:41:38 -0600 

% dig a server4.hostprestige.com
server4.hostprestige.com. 3514	IN	A	69.56.245.170

% whois hostprestige.com
Registration Service Provided By: OmegaSphere
Contact: support at omegasphere.net
Visit: http://www.omegasphere.net/
        
Domain name: hostprestige.com

Administrative Contact:
   
   Host Prestige (hostprestige at gmail.com)
   +1.9493500754
   Fax: 
   27 Dogwood Ln
   Aliso Viejo, CA 92656
   US

Looks to me like theplanet.com is hosting a server (and not properly
providing rDNS delegation) for Host Prestige, which is another hosting
business. From traceroutes, the box is in the DFW Texas area. Odds
are, that machine was compromised by whoever compromised the coco
site. Connecting to it via HTTP gives a cPanel default installation
page, so that machine is probably chock full of virtual web domains.

Larry
-- 
Lawrence Weeks                                    lweeks at anabasis.net
Anabasis Consulting Ltd



More information about the Coco mailing list