[wellylug] got ya

[jumbophut]

On Tue, 12 Oct 2004 11:08:48 +1300, E.Chalaron wrote:
> Hi all again
> 
> From Samba to something a little bit more worrying. I eventually got someone
> trying to get into servers. He tried here and the one at home. Same Ip and
> results consistent with dig or host. And pointing to one of the server of a
> provider...
> 
> Now I'd like to know a little bit more about this gentleman.... What is the
> next step ?
> 

If you know what the IP is, you can who it is allocated to at a high
level (e.g. ISP).  Start here and follow through to the regional
allocators: <http://www.iana.org/assignments/ipv4-address-space>

If you can find a domain name, you can see who registered it.  Where
to look depends on the domain.  If it is NZ, try <domainz.net.nz>. 
<networksolutions.com> might also be helpful (use the WHOIS search).

BUT:

1) Whoever is trying to get into your servers might be using a
compromised server owned by someone else, so the details you get will
not be the perpetrator's.

2) The domain registration details could be fake (fraudulent).

3) The alleged cracker might be using a dial-up connection, or other
connection with a dynamic IP address.  Chances are that in this case,
you will only be able to find out more from the relevant ISP.

4) Even if you get the right person, there may be very little you can
do.  I suppose you could notify their ISP, depending on the exact
nature of the activity.

It might be easier to just temporarily block the IP at your firewall.

-- 
Tony (echo 'spend!,pocket awide' | sed 'y/acdeikospntw!, /l at omcgtjuba.phi/')