Forums > Help! > Can someone trace an IP address for me please?

Posted: 17th Dec 2004
It's someone using a T-Online dial up connection in Germany. (one of the largest ISP's there). T-Online has been a hotbed of hacker activity in the past.



Edit:

Here is an easy link to file a complaint directly to the ISP:

https://abuse.t-ipnet.de/cgi-bin/abuse.pl

Give them the IP and time and details.
EDITED_BY: mtbeer (1103288369)

"My skin is singed but it heals my heart and with glowing pride I'll wear my scars." -Davey Havok

Posted: 17th Dec 2004
oooohhhh

how did you do that?

Love is the law.

Posted: 17th Dec 2004
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Host p50927DD6.dip.t-dialin.net (80.146.125.214) appears to be up ... good.

Initiating Connect() Scan against p50927DD6.dip.t-dialin.net (80.146.125.214)

(failed)





WHOIS information for t-dialin.net:



[whois.registrar.telekom.de]

[whois.registrar.telekom.de]

% Copyright (c)2003 by Deutsche Telekom AG



domain: t-dialin.net

registrant-hdl: RDT-DTO4

admin-c: RDT-DK25

tech-c: RDT-HM1

zone-c: RDT-HM1

nserver: dns00.sda.t-online.de

nserver: dns00.sul.t-online.de

nserver: dns01.sda.t-online.de

nserver: dns01.sul.t-online.de

status: connected

changed: 2004-05-14

source: DEUTSCHE TELEKOM AG





Damn, mtbeer got there first.



nslookup will give you the name of the ipaddress. But I like nmap. For some reason it is installed on our uni computers. I don't have root priviledges so I can't do a proper scan. Plus the telecom company would probably block it anyway.

"the now legendary" - Kaskade
"the still legendary" - Kaskade

I spunked in my friend's aquarium and the fish ate it. I love all fish. Especially the pink ones. They are my bitches. - Anon.

Posted: 17th Dec 2004
jon you could use a prog like black ice to block the entry, and then return the attck.


or it could be a piece of software on your hdd trying to update its self, and the products srv trying to get update info?

Step (el-nombrie)

Posted: 17th Dec 2004
search results

mate i pulled tdilin to

not sure what they are doing, i just dont know

Step (el-nombrie)

Posted: 17th Dec 2004
Cool cheers lads and lasses.

Ive reported the IP address and changed both the admin and guest passwords on the router. So at least they wont be able to change the modem settings.

*runs off to find his old toolkit *

Posted: 17th Dec 2004
are you running a cables system or are you on a wireless network, or both?

if you are on wireless enable mac address inclusion and accaptance lists, this will stop any mac addresses in the list acessing the network, and ita lot harder for a mac addy to be spoofed than a wep key


is your firewall on your router if its cables active, and stopping threats, if not get your firewall on your router going and that will help, also cycle the password every so often, also if you can get a prog, i cant remebr the name of the one i used to use, but this prog will at a set interval diconnect the adsl and then reconnect you, so that you cant be caught on a statc ip scan....

slows hackers to

Step (el-nombrie)

Posted: 17th Dec 2004
Its all wired.

and I cant seem to find the firewall settings on the modem setup page...

and the box doesnt say it has one either...

So I reckon im thinking of my old one....

Posted: 17th Dec 2004
can you acces the router itslef, type the ip of the router into an IE window, and you should be able to acces the internal settings system of teh router

Step (el-nombrie)

Posted: 17th Dec 2004
does it really matter?

It's just a connection, it's not illegal and I doubt an ISP will care that much unless the guy is a script kiddie doing blatent port scans regularly. Boxes in data centres get several port scans per hour from people looking for insecure servers to use for whatever, that's life. Boxes on slower connections generally arn't interesting, but with the advent of cable and adsl (and lots of stupid people using it), home users do get scanned these days.

Don't rule out either that it could just be a virus/trojan on the guy's machine which is trying to spread using known exploits and ip ranges of broadband users. In this case thou the guy is running Linux, probably redhat on his daddy's PC.

Posted: 17th Dec 2004
"In this case thou the guy is running Linux, probably redhat on his daddy's PC."

Howdja know that?

Posted: 17th Dec 2004
tcp/ip fingerprinting. You can find to a reasonable degree of accuracy the operating system and uptime (in this case about 10 days) by the way in which machines handle tcp connections

Posted: 17th Dec 2004
Clever boy... umm...Flid.

adn MEch.....the IE one is the setup page im talking about.

MtBeer: why are t-online such a hotbed? do they offer shell accounts? or are Germans just *************************** (note *'s may not be needed depending on which word you use)

Posted: 17th Dec 2004
A lot of hacker activity originates from T-Online mostly due to the sheer number of subscribers. There is also a considerable hacker sub culture in Germany which probably grew on the fame of Aron Spohr who hacked into T-Online back in 98 and stole the majority of the user accounts.

"My skin is singed but it heals my heart and with glowing pride I'll wear my scars." -Davey Havok

Posted: 26th Dec 2004
The guy also shops at walmart, drives a volvo and takes a size 7 shoe (but of course that might be his dad...)

Flid speaks truth - anytime you're on the net, lots of people will fling lots of wierd [censored] at you and most of it is undirected and ineffectual. If you watch server logs for a while it's really easy to end up thinking "who the hell is that? How dare they try and attack my machine". After a while, the feeling goes away.

monkeys ate my brain

Posted: 27th Dec 2004
The problem is that now it is still coming up....



and when it happens, zonealarm bring up a dialogue box with a massive red top bit and gives me the option of either configuring it to work with this VPN connection, or to not configure it with the VPN connection.





The wierdest thing is that if it is dial up, why is the IP address now changing every time it comes up?



It is the same one everytime....







I got a responce from the complaint:



Dear Sir or Madam.



We received and analyzed your e-mail.

The sender is a customer of T-Online.

Therefore your request was forwarded to the following address:



T-Online International AG

Waldstrasse 3

64331 Weiterstadt

mailto:abuse@t-online.de

abuse-Team



Additional questions or comments should be directed to T-Online.



II.Expedited handling (t-dialin.net only)



1. If the culprit's IP address is allocated to the domain "t-dialin.net", you can expedite processing by contacting the provider directly.

Please send an email with all the necessary data to abuse@t-online.de.



2. The Domain can be determined by issuing the command "nslookup 'ip address'", i.e. nslookup 62.158.127.111.

If you are using Win9x, open a command prompt and issue the command "ping -a 'ip-address'", i.e. ping -a 62.158.127.111.





Kind regards

Security Team



Deutsche Telekom AG

T-Com, Technische Infrastruktur Niederlassung Überregional Network Configuration Center (NCC) Projects, Processes and Security

Tel.: 0180 / 533 - 4332

Fax: 0180 / 533 - 4252

mailto:abuse@t-ipnet.de


EDITED_BY: Untimely Calculations Often Fail (1104184839)

Posted: 29th Dec 2004
Because not all ISPs give out a different IP each time, especially older ones (like Demon in the UK) or to customers who request it (i.e. script kiddies who don't understand how to configure dhcpd on their redhat machine).



I still don't know why you care? If you're using a firewall and the attack/scan is coming from a static IP, then just firewall it.

Posted: 1st Jan 2005
geeks I just read the whole page and you know what, it sounds like this.....

blah blah blah IP blah blah blah firewall blah blah blah server blah blah blah figure out Mechs spelling errors blah blah blah Deutsche blah blah flid blah

What is it they say,.....give a hundred monkeys a typewriter and enough time....

Let's relight this forum

Posted: 10th Jan 2005
*pokes his head out to say*

Its now coming from another IP address.



I think they got booted from their ISP and now are trying again with another account.

Will give the new IP when I get home.

Posted: 10th Jan 2005
Call them a big smelly poo. Then they might go away.

What a wonderful miracle if only we could look through each other's eyes for an instant.
Thoreau

Posted: 10th Jan 2005
do you reckon then that it is a hack attack?

Am I then allowed to portscan the IP address to see any open ports.... or is that naughty?

/

Posted: 11th Jan 2005
This is so last year jon

If you care that much, set up a packet logger on that port and send the log to me. I'll be able to tell you if it is an actual connection or just a scan. But i still don't know why you care, people scan networks all the time, you're not special (well, you are, but that's different!), and if you just block the port I doubt the perpetrator will bother you. People who scan home users are generally looking for really obvious holes, not challenges.

Posted: 11th Jan 2005
The New one is:

81.50.156.181

Posted: 11th Jan 2005
i get scared just reading your guy's posts about all this computer stuff...
and i even studied it for four years and got my bachelors degree in it...
guess i'll just stick to meditating and sticking needles into people.
you watch my back and i'll watch yours?

please dont kill my computer...

sorry if this is "off the topic"...
perhaps i should say:
its impressive to me how much you guys know about all this stuff. computers kinda scare me.

those that know, dont say. those that say, dont know.

Posted: 11th Jan 2005
you can come with me meditator, we'll go to the geek free zone

Let's relight this forum