benos Posted July 13, 2007 Share Posted July 13, 2007 Friday there were 10 fraud order attempts (on my "Donate" page) in my store, for $2000.00 each. Fortunately they were all either declined or held for review by my Authorize.net's "suspicious transaction" filter. Not only do I hate that, but if one actually approves - and I don't catch it to void it before it batches through - I have to pay transaction fees not only on the original fraud order, but on the refund as well. So I really hate that. be Link to comment Share on other sites More sharing options...
XRe Posted July 13, 2007 Share Posted July 13, 2007 Link to comment Share on other sites More sharing options...
Kingman Posted July 13, 2007 Share Posted July 13, 2007 It is pretty rediculous when you think about that mess. Link to comment Share on other sites More sharing options...
robomanusa Posted July 13, 2007 Share Posted July 13, 2007 (edited) That sucks.....only thing you might be able to do is block ntelos's entire net range, give them a call if you have all the records of times and dates.....that ip is dynamic so isnt like you can block just that one. the company is in VA, so atleast its US based which helps.. +1-540-946-2638 216.12.80.0 - 216.12.81.255 you can also use mod_rewrite to redirect those IP addresses to there own error page....create a trap basically Edited July 13, 2007 by robomanusa Link to comment Share on other sites More sharing options...
benos Posted July 14, 2007 Author Share Posted July 14, 2007 Thanks Rob. I called that number and just a got a stupid message telling me to hang up and dial 611. So I called: Ntelos, Inc., dns@ntelos.net 877-468-3567 ... and got a tech guy who told me to call back tomorrow because there was no one there that could deal with it. And this happened after I posted... as I'm working with my "Donate.html" page, I notice a new text file in my (ftp) "Store" folder, and I remember the letters "...ftp..." in the files name. So I finished editing the Donate page, then after I uploaded the page I went back to download the new text file, but then it was gone! Yikes. So I changed all the ftp and server passwords. Then when I was talking to EV1/The Planet Servers, the tech guy was looking around the server and said there were repeated attempts to log in to the server (root) today. So he blocked that IP address, which was 210.83.183.14. Scary stuff. be Link to comment Share on other sites More sharing options...
Merlin Orr Posted July 14, 2007 Share Posted July 14, 2007 (edited) ME TOO! And times like this is when you need that 22-250!!!! Edited July 14, 2007 by Merlin Orr Link to comment Share on other sites More sharing options...
Adam B Posted July 14, 2007 Share Posted July 14, 2007 here is a better idea of the area in where he is located http://www.ip-adress.com/details.php?c=VjJ...GZXVzl5YXc9PQ== The ISP knows what customers have what IP addresses, maybe a fellow member knows someone that works at the ISP. Link to comment Share on other sites More sharing options...
ChuckS Posted July 14, 2007 Share Posted July 14, 2007 arin whois shows this! : Search results for: 210.83.183.14 OrgName: Asia Pacific Network Information Centre OrgID: APNICAddress: PO Box 2131City: MiltonStateProv: QLDPostalCode: 4064Country: AUReferralServer: whois://whois.apnic.netNetRange: 210.0.0.0 - 211.255.255.255 CIDR: 210.0.0.0/7 NetName: APNIC-CIDR-BLK2NetHandle: NET-210-0-0-0-1Parent: NetType: Allocated to APNICNameServer: NS1.APNIC.NETNameServer: NS3.APNIC.NETNameServer: NS4.APNIC.NETNameServer: NS-SEC.RIPE.NETNameServer: TINNIE.ARIN.NETNameServer: DNS1.TELSTRA.NETComment: This IP address range is not registered in the ARIN database.Comment: For details, refer to the APNIC Whois Database viaComment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.plComment: ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment: for the Asia Pacific region. APNIC does not operate networksComment: using this IP address range and is not able to investigateComment: spam or abuse reports relating to these addresses. For moreComment: help, refer to http://www.apnic.net/info/faq/abuseComment: RegDate: 1996-07-01Updated: 2005-05-20OrgTechHandle: AWC12-ARINOrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100OrgTechEmail: search-apnic-not-arin@apnic.net# ARIN WHOIS database, last updated 2007-07-13 19:10# Enter ? for additional hints on searching ARIN's WHOIS database. If contact information is out of date or incorrect, please contact hostmaster@arin.net. Include all relevant information in your e-mail and ARIN will investigate the matter. To keep things interesting ip-lookup.net shows it in China Geobytes.com shows it in China also And networksolutions.com shows this: WHOIS Record For 210.83.183.14Record Type: IP Address OrgName: Asia Pacific Network Information Centre OrgID: APNICAddress: PO Box 2131City: MiltonStateProv: QLDPostalCode: 4064Country: AUReferralServer: whois://whois.apnic.netNetRange: 210.0.0.0 - 211.255.255.255 CIDR: 210.0.0.0/7 NetName: APNIC-CIDR-BLK2NetHandle: NET-210-0-0-0-1Parent: NetType: Allocated to APNICNameServer: NS1.APNIC.NETNameServer: NS3.APNIC.NETNameServer: NS4.APNIC.NETNameServer: NS-SEC.RIPE.NETNameServer: TINNIE.ARIN.NETNameServer: DNS1.TELSTRA.NETComment: This IP address range is not registered in the ARIN database.Comment: For details, refer to the APNIC Whois Database viaComment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.plComment: ** IMPORTANT NOTE: APNIC is the Regional Internet RegistryComment: for the Asia Pacific region. APNIC does not operate networksComment: using this IP address range and is not able to investigateComment: spam or abuse reports relating to these addresses. For moreComment: help, refer to http://www.apnic.net/info/faq/abuseComment: RegDate: 1996-07-01Updated: 2005-05-20OrgTechHandle: AWC12-ARINOrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100OrgTechEmail: search-apnic-not-arin@apnic.net good hunting Link to comment Share on other sites More sharing options...
shred Posted July 14, 2007 Share Posted July 14, 2007 here is a better idea of the area in where he is locatedhttp://www.ip-adress.com/details.php?c=VjJ...GZXVzl5YXc9PQ== The ISP knows what customers have what IP addresses, maybe a fellow member knows someone that works at the ISP. [Edit] you have to click the button or you'll get a map of dead center on the equator at about zero degrees longitude.. anyway, if the hacker was smart, they bounced off a hacked PC at that IP anyway and are from somewhere else, but it's worth checking into. Link to comment Share on other sites More sharing options...
valkabit Posted July 14, 2007 Share Posted July 14, 2007 That's not cool, but I do like your response. +1000 Link to comment Share on other sites More sharing options...
XRe Posted July 14, 2007 Share Posted July 14, 2007 ME TOO! And times like this is when you need that 22-250!!!! That puny little .22 caliber bullet cannot even begin to unleash enough whoopass for this situation I was thinking more along the lines of many .50 BMG rounds in quick succession might make a better "statement"..... Link to comment Share on other sites More sharing options...
benos Posted July 14, 2007 Author Share Posted July 14, 2007 How easy it to mask an IP? shred - you said "bounced off"? be Link to comment Share on other sites More sharing options...
shred Posted July 14, 2007 Share Posted July 14, 2007 Basically you hack into the computer, then install a program that forwards IP packets for you, so you send your packets to the hacked PC, and it sends them out from it's IP so it looks like the hijacked PC is the culprit, while you're really a continent away sending it commands (much like the old cop-movie staple of finding two payphones taped together when they trace the ransom call.) The really good hackers go through a number of such proxies before hitting a target system-- makes them very hard to track down. It doesn't seem like this guy was that good, or you might never have noticed the hack... Link to comment Share on other sites More sharing options...
George Posted July 14, 2007 Share Posted July 14, 2007 Chuck, I do not get 210.83.183.14 from any search on 216.12.81.142 which is the IP Brian actually listed as the offender. It comes up in VA, USA as ww.ntelos.net as mentioned earlier. +1 to Shred on "he must not be very good". If you found him fast, he's just a butt-munch and probably not capable of masking his IP. If he could do things like that cleanly, you would probably have only have found him after the money was gone ;-/ Link to comment Share on other sites More sharing options...
ChuckS Posted July 14, 2007 Share Posted July 14, 2007 Chuck, I do not get 210.83.183.14 from any search on 216.12.81.142 which is the IP Bian actually listed as the offender. It comes up in VA, USA as ww.ntelos.net as mentioned earlier. I got that address from post #5 of this thread. but as Shred points out, this is all meaningless. With the ability to change "hardware" mac addresses, real traceability in an IP network is pretty much dead. Unless, of course, you are Chloe at CTU... Link to comment Share on other sites More sharing options...
Adam B Posted July 14, 2007 Share Posted July 14, 2007 I assumed that he spoofed the IP but it was at least worth looking into since it took a whopping 10 seconds. Truth of the matter is if you use good password scheme and don't run windows os as your server you should be fine, I have run my FreeBSD web servers for 6 years without a single issue, I also don't run standard ports for ssh and other programs. Link to comment Share on other sites More sharing options...
ChuckS Posted July 14, 2007 Share Posted July 14, 2007 Yeah, Unix and it children tend to be a bit tighter but hardly foolproof. Probably the biggest problem with the net is not the connectivity but the exploit information that can be found. It no longer takes a top-shelf hack to break into stuff. Case in point: In late 2003 I decided to set up a wireless network for home instead of crawling around in the crawl space and attic to pull Cat-V. I got the linksys dejour stuff and set it up using all the security tips of the time: No SSID broadcast, just plain bizarre keys and WEP encryption. I then did a google for WEP cracking, found a snort-like program and a WEP crack program, loaded it and ran it with about 5 minutes reading. I kicked off a file transfer in my wireless net to get the packet rate up and I cracked the network in about 15 minutes. The total time to find tools, set up, and break into a busy network was little more than an hour. At the time I knew pretty much zip about 802.11. So, just about any normal soul who can read, install somewhat arcane software, and run the stuff can be a fairly capable hacker. Link to comment Share on other sites More sharing options...
HoMiE Posted July 14, 2007 Share Posted July 14, 2007 Contact the FBI. Seriously. I used to work in the internet industry. Most local law enforcement don't have personnel to deal with such issues, but the FBI does or at least they will do more for you than the ISP that it's coming from. Link to comment Share on other sites More sharing options...
robomanusa Posted July 14, 2007 Share Posted July 14, 2007 How easy it to mask an IP? shred - you said "bounced off"? be There are still quite a few open proxies left which can be used to help mask the originating IP, its easy enough to do but still leaves traceable tracks, your not as hidden as you think you are .......if it was me I might tend more towards ssh'ing through several servers then using the end machine to do the dirty work, not an open proxy. Also, as far as root password attempts, when you run a server you see that shit everday, not just root attempts, but you will see attempts at common unix/linux usernames(root, apache, www, mysql and so on...) just dont ever make your passwords easy to figure out and change them on a regular basis, mine gets changed every 2 weeks. Contact the FBI. Seriously. I used to work in the internet industry. Most local law enforcement don't have personnel to deal with such issues, but the FBI does or at least they will do more for you than the ISP that it's coming from. Your right most dept's dont have the resources, best bet is the FBI. But for the FBI to get involved you have to PROVE monetary damages before they will even begin to get involved. Link to comment Share on other sites More sharing options...
Rob Boudrie Posted July 14, 2007 Share Posted July 14, 2007 I spoke to Brian about this, and the type of fraud he is being victimized by is difficult to prevent. People are submitting large bogus charges to his "donate" box. Brian generally catches these before the daily processing and cancels them (otherwise he'll be stuck with transaction and refund fees, and risk losing his merchant account if there are too many chargebacks). Why? My guess is that someone is attempting to use his site to see if a charge card is valid for large purchases before they hit the street. Gas stations have the same problem as criminals have been known to use self-serve gas pumps to try to validate stolen cards. Link to comment Share on other sites More sharing options...
Adam B Posted July 14, 2007 Share Posted July 14, 2007 Yeah, Unix and it children tend to be a bit tighter but hardly foolproof. Probably the biggest problem with the net is not the connectivity but the exploit information that can be found. It no longer takes a top-shelf hack to break into stuff. Case in point: In late 2003 I decided to set up a wireless network for home instead of crawling around in the crawl space and attic to pull Cat-V. I got the linksys dejour stuff and set it up using all the security tips of the time: No SSID broadcast, just plain bizarre keys and WEP encryption.I then did a google for WEP cracking, found a snort-like program and a WEP crack program, loaded it and ran it with about 5 minutes reading. I kicked off a file transfer in my wireless net to get the packet rate up and I cracked the network in about 15 minutes. The total time to find tools, set up, and break into a busy network was little more than an hour. At the time I knew pretty much zip about 802.11. So, just about any normal soul who can read, install somewhat arcane software, and run the stuff can be a fairly capable hacker. Cracking wep is so easy now days and the tools are readily available, basically "a caveman could do it" WPA security or better or just don't run wireless, I also find it useful to run my wireless in a different subnet.. Link to comment Share on other sites More sharing options...
robomanusa Posted July 14, 2007 Share Posted July 14, 2007 It shouldnt be too hard to write a login script for the donation section to use the member table of the forum. Link to comment Share on other sites More sharing options...
AustinMike Posted July 14, 2007 Share Posted July 14, 2007 ME TOO! And times like this is when you need that 22-250!!!! That puny little .22 caliber bullet cannot even begin to unleash enough whoopass for this situation I was thinking more along the lines of many .50 BMG rounds in quick succession might make a better "statement"..... I am SOOOO sick of f'n hackers, virus writers, spammers and the lot. I don't think they deserve to be taken out quickly. I'm thinking more like covering them in honey and tying them to a stake on top of the biggest fire ant mound I can find. Slow and painful.... Link to comment Share on other sites More sharing options...
tightloop Posted July 14, 2007 Share Posted July 14, 2007 If they would work as hard at a legit job, they could probably make some $$... Link to comment Share on other sites More sharing options...
Peter K Posted July 14, 2007 Share Posted July 14, 2007 210.83.183.14 inetnum: 210.83.183.0 - 210.83.183.63 netname: chengqi-group country: cn descr: dongguan city,guangdong province admin-c: TC254-AP tech-c: TC254-AP status: ASSIGNED NON-PORTABLE changed: t-wangxy2@china-netcom.com 20021105 mnt-by: MAINT-CN-ZM28 source: APNIC route: 210.82.0.0/15 descr: CNC Group CncNet country: CN origin: AS9929 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060330 source: APNIC person: TECH GROUP CNC address: 9/F, Building A, Corporate Square, No. 35 Financial Street, address: Xicheng District, Beijing 100032, P.R.China country: CN phone: +86-10-88093588 fax-no: +86-10-88091442 e-mail: tech-group@china-netcom.com nic-hdl: TC254-AP mnt-by: MAINT-CN-ZM28 changed: zhaomq@china-netcom.com 20010917 source: APNIC Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now