Think that China is reading here to.

Think that China is reading here to. Thank´s for the IP´s. 61.172.249.200 (Omvänd uppslagning misslyckades) : whois.apnic.net

% [whois.apnic.net node-2] % Whois data copyright terms

formatting link
inetnum: 61.172.249.194 - 61.172.249.212 netname: WAEI-SOFTWARE-DEVE descr: Beijing Waei Software Development country: CN admin-c: ZXW2-AP tech-c: ZXW2-AP mnt-by: MAINT-CN-SHTELE-XINCHAN changed: snipped-for-privacy@shaidc.com 20020627 status: ASSIGNED NON-PORTABLE source: APNIC changed: snipped-for-privacy@apnic.net 20020827

person: Zhang Xing Wen address: Rm.9032 jingan center No.8 Beisanhuan Rd. chaoyang Diastrict Beijing 100028 country: CN phone: +86-21-84541188-1302 fax-no: +86-21-84543126 e-mail: snipped-for-privacy@waei.com.cn nic-hdl: ZXW2-AP mnt-by: MAINT-CN-SHTELE-XINCHAN changed: snipped-for-privacy@shaidc.com 20020627 source: APNIC

12.45.203.0/24 12.98.139.0/24 12.144.182.0/24 12.219.238.0 - 12.219.239.255 59.104.0.0 - 59.105.255.255 61.78.0.0 - 61.85.255.255 61.129.112.0 - 61.129.112.255 61.159.0.0 - 61.159.63.255 61.172.249.194 - 61.172.249.212 61.185.0.0 - 61.185.255.255 80.191.45.0 - 80.191.45.255 81.215.0.0 - 81.215.255.255 83.170.192.0/18 84.10.0.0/16 155.48.106.0/24 168.126.0.0/16 172.184.111.203 193.251.0.0/16 193.252.0.0/16 193.253.0.0/16 195.170.192.0 - 195.170.223.255 195.174.0.0/16 195.175.16.0/20 195.58.124.0/24 200.30.203.0/24 200.193.64.75 201.243.103.0 - 201.243.103.255 202.51.64.0 - 202.51.95.255 202.88.186.0/24 202.96.64.0 - 202.96.95.255 202.99.128.0 - 202.99.191.255 202.131.224.0 - 202.131.255.255 203.152.22.0/24 205.251.79.0/24 207.44.194.25 210.12.231.128 - 210.12.231.255 210.71.115.0/24 210.173.37.0/24 210.201.153.0/24 211.54.40.0/25 211.75.128.0 - 211.75.255.255 211.172.0.0 - 211.199.255.255 211.206.0.0 - 211.211.255.255 212.18.57.0/24 212.150.124.0/24 212.202.178.0/24 212.27.32.0-212.27.63.255 212.64.192.0-212.64.203.255 212.64.223.160/29 212.64.223.168/29 212.9.7.0/24 213.13.26.0/24 213.85.151.0 - 213.85.151.255 213.144.176.0/24 213.171.54.0 - 213.171.55.255 213.190.213.0/24 213.228.7.0/24 213.228.8.0/24 213.241.0.0 - 213.241.127.255 216.184.97.0/24 216.76.35.0/24 217.35.103.77 217.67.187.108 - 217.67.187.111 217.118.224.0/24 217.118.225.0/24 217.118.239.0/24 217.160.110.0/24 218.60.0.0 - 218.61.255.255 218.67.128.0-218.69.255.255 218.69.108.0/24 218.69.148.0/24 218.76.98.0/24 218.78.0.0 - 218.83.255.255 218.111.0.0 - 218.111.255.255 218.164.28.0/24 218.252.74.0/24 219.212.4.0/24

Andersajja

Reply to
anders
Loading thread data ...

Why would you think that?

Well, that's great, but that's 18 addresses. You'd be abusing the whois server if you went step by step like that. Besides,

[compton ~]$ grep -h CN IP.ADDR/stats/* | cut -d' ' -f2 | cut -d'.' -f1 | sort | uniq -c | column 1 134 1 167 64 203 10 220 30 60 1 159 1 168 70 210 58 221 69 61 1 161 4 192 33 211 56 222 1 162 1 198 46 218 9 58 1 166 293 202 27 219 23 59 [compton ~]$

China (CN) has 800 different allocations and if you want to make life easier in the 61.x block, try 61.128.0.0/10 (61.128.0.0 - 61.191.255.255). Or just try

formatting link
formatting link
formatting link
formatting link
But understand that there are over 63 thousand allocations by the five RIRs to 192 different country codes from AD (Andorra) to ZW (Zimbabwe), and those

800 allocations to China don't include 554 to Hong Kong, 15 to Macau, or 313 to Taiwan.

Old guy

Reply to
Moe Trin

Becuse my firewall whas overrun by call´s mostley att the 1026/1027 gate´s, but there was onley this

61.172.249.200 that I counted for about 25 time´s and the other was only trying a couple time´s and on different gate´s. There was even this attemt to install msql- worms and some overflow attemts.

I will never abuse any whois or arpanet servers.

Sorry but this is like throwing pearl at a pig. I have find this book "Learning GNU/LINUX" by Linus Walleij who mybe can get me over the next hill.

I am aware that there is alot for me to learn and you are one of the person i am actualy have a great deal of respect in along with some other. My knowledge is a bit poor but I am reding a lot here and on other newsgroups, I have done this for almost a year now.

Andersajja

Reply to
anders

UDP or TCP?

I'm sorry, but I misunderstood your meaning. Actually I don't think that many people who are producing or running mal-ware really read this group that much.

Again, I misunderstood your meaning. In the history of blocklisting, things started out by blocking specific hosts that were being abusive. As more hosts from the same area of address space, people decided to try to block all space from an entity (a company, or ISP. or similar). As the problem got larger, some people have decided to block whole countries or even regions of the world.

This is not an easy task, because address blocks were not assigned with this thought - looking at the block from 202.0.0.0 to 202.255.255.255, I see there are 2976 assignments to 45 different countries from the Western side of the Indian Ocean to Hawaii. There really is no pattern to the assignments. Also, many domain names do not reflect the country or region where they come from. There are literally thousands of companies with a .com domain in China or Chile or Belarus or Belize. Also as many have noticed, not all network administrators follow the rules that _require_ reverse DNS (IP to name) tables.

First read as "throwing Perl at a pig" (Perl is called the "Swiss Army Chainsaw" of scripting languages). Actually, this is an example of the way Unix tools are used - each tool can do one task very well, but you can chain commands together to do what appear to be very complicated tasks. Perl is another tool that would also do the job, and is available in the Windows or Macintosh environment.

When you look at the hill, it seems VERY steep. Just take one step at a time, and you will reach the top of the hill. I have a number of years experience, and the reason I show the commands like above is so that people can see how it is done.

Knowing how (or even why) to ask a whois server shows that you are learning well. Please continue. This is good!

Old guy

Reply to
Moe Trin

On Thu, 07 Apr 2005 09:24:17 GMT, anders spoketh

Yeah, nothing new there. A bunch of messenger spam has been coming from China for the past 6 to 9 months. It's just blasts of junk at random targets...

Lars M. Hansen

formatting link
'badnews' with 'news' in e-mail address)

Reply to
Lars M. Hansen

61.172.249.200 was trying UDP

Yes I now that, but I do believe that you understand that it was not the script-language I was thinking of in the first place.

But like the child, I now there is something on the table, but I can´t get it yet.

Thank´s this is meaning a lot to me. Andersajja

Reply to
anders

Thinka about it. Since UDP is a connectionless protocol, and no handshake is needed, you can easily send UPD M$ messenger spam from a completely forged IP address. No need to worry about the ACKS being routed back...

UDP messenger spam is usually forged and almost impossible to trace back to it's true sourece.

Reply to
T. Sean Weintz

Correct. Further, if you are counting bits over the wire, blocking the source address does not prevent the packet. Think about how the connection occurs. In TCP, There is a minimum of two packets sent

Source -> Destination: Hello, I have a transmission for you. Destination -> Source: Hello, I don't want to speak to you.

and that is the end of that. By the way, if your firewall is "stealth" then the source tries three times before quitting:

Source -> Destination: Hello, I have a transmission for you. Source -> Destination: Hello, I have a transmission for you. Source -> Destination: Hello, I have a transmission for you.

so stealth is going to be more expensive in bandwidth over the connection. Now for a UDP packet, it looks like this:

Source -> Destination: Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam, Spam Destination -> Source: I don't want to speak to you.

and as you can see - it's to late, because it doesn't matter what, if anything, that the destination does. All your computer can do is to throw away the spam. If for example, you have a firewall that prevents this packet from being passed up the stack, or if your computer isn't listening to the port, this happens automagically. If you are paying for a connection by the byte, you may wish to discuss blocking with your upstream, so that they drop these unwanted packets for you. Naturally, they will probably want to charge you for this special service. ;-)

I think you mean "UDP messenger spam is almost always forged and almost..."

"Messenger" is a rather primitive (and broken) version of the BSD 'talk' service from about 1984, which itself was a network aware version of the 'write' service that was part of (UNIX) Version 6 from 1975. Other network operating systems like Lantastic, Banyan Vines, Novell Netware and Tenex had similar functions. I think maybe the second thing you learned when working with them was how to turn that d4mn service off. Luckily for us

*nix users, microsoft also changed the port number used and made it otherwise incompatible, so that we're not bothered by this garbage.

Old guy

Reply to
Moe Trin

You're not alone receiving spam from this company on ports 1026 & 1027. I am getting a few per day from 61.172.249.200 but 61.172.249.201 is sending spam packets every 2min 25 secs - that adds up to about 700 per day. Check out the messages under the header of "Why you have hardware firewalls" in this group.

I am sending reports on a daily basis to snipped-for-privacy@waei.com.cn and snipped-for-privacy@ccert.edu.cn. So far there has been no let up in the flow but fingers crossed.

Reply to
JC

Moe,

What is the significance of whether the spam packets are UDP or TCP?

I am also receiving here UDP packets from 61.172.249.201 on ports 1026 and 1027.

Reply to
JC

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.