Re: IP Hijacking For Dummies

2017-06-11 Thread Stephane Bortzmeyer 
On Mon, Jun 05, 2017 at 04:46:04PM -0700,
 Ronald F. Guilmette  wrote 
 a message of 85 lines which said:

> Late last night, I put together the following simple annotated listing of
> the routes being announced by AS34991.

Note that they apparently stopped on 7 june.

Re: IP Hijacking For Dummies

2017-06-09 Thread Stephane Bortzmeyer 
On Mon, Jun 05, 2017 at 04:46:04PM -0700,
 Ronald F. Guilmette  wrote 
 a message of 85 lines which said:

> I just think that by now, in 2017, we should have a somewhat more
> skilled class of frauds, rogues, criminals and spies on the
> Internet.

"This city deserves a better class of criminal and I'm gonna give it to them."

-- The Joker (in one of the Batman movies)

Re: IP Hijacking For Dummies

2017-06-06 Thread Rich Kulawiec 
On Mon, Jun 05, 2017 at 04:46:04PM -0700, Ronald F. Guilmette wrote:
> It did also strike me as passing strange that this company has apparently
> elected to not actually put its own web server, name servers, or mail
> server anywhere within its own duly allocated IPv4 blocks.

Out of curiosity, I ran a DNS scan against all of the /24's that you
enumerated (thank you, by the way).  I am also perplexed that a hosting
company which has "sold out" of virtual servers seems to have precious
few servers -- of any type -- represented in its DNS records.  To save
everyone else the trouble, I'm appending below all the results (1023)
that did not result in NXDOMAIN or SERVFAIL (5121).  Note in re the
last dozen on the list: I believe "correo" translates to "post", in
the sense of "mail", so those may well be (customer?) mail servers.

---rsk

168.176.194.11  palmi19411.palmira.unal.edu.co
168.176.194.12  palmi19412.palmira.unal.edu.co
168.176.194.13  palmi19413.palmira.unal.edu.co
168.176.194.14  palmi19414.palmira.unal.edu.co
168.176.194.15  palmi19415.palmira.unal.edu.co
168.176.194.16  palmi19416.palmira.unal.edu.co
168.176.194.17  palmi19417.palmira.unal.edu.co
168.176.194.18  palmi19418.palmira.unal.edu.co
168.176.194.19  palmi19419.palmira.unal.edu.co
168.176.194.20  palmi19420.palmira.unal.edu.co
168.176.194.21  palmi19421.palmira.unal.edu.co
168.176.194.22  palmi19422.palmira.unal.edu.co
168.176.194.23  palmi19423.palmira.unal.edu.co
168.176.194.24  palmi19424.palmira.unal.edu.co
168.176.194.25  palmi19425.palmira.unal.edu.co
168.176.194.26  palmi19426.palmira.unal.edu.co
168.176.194.27  palmi19427.palmira.unal.edu.co
168.176.194.28  palmi19428.palmira.unal.edu.co
168.176.194.29  palmi19429.palmira.unal.edu.co
168.176.194.30  palmi19430.palmira.unal.edu.co
168.176.194.31  palmi19431.palmira.unal.edu.co
168.176.194.32  palmi19432.palmira.unal.edu.co
168.176.194.33  palmi19433.palmira.unal.edu.co
168.176.194.34  palmi19434.palmira.unal.edu.co
168.176.194.35  palmi19435.palmira.unal.edu.co
168.176.194.36  palmi19436.palmira.unal.edu.co
168.176.194.37  palmi19437.palmira.unal.edu.co
168.176.194.38  palmi19438.palmira.unal.edu.co
168.176.194.39  palmi19439.palmira.unal.edu.co
168.176.194.40  palmi19440.palmira.unal.edu.co
168.176.194.41  palmi19441.palmira.unal.edu.co
168.176.194.42  palmi19442.palmira.unal.edu.co
168.176.194.43  palmi19443.palmira.unal.edu.co
168.176.194.44  palmi19444.palmira.unal.edu.co
168.176.194.45  palmi19445.palmira.unal.edu.co
168.176.194.46  palmi19446.palmira.unal.edu.co
168.176.194.47  palmi19447.palmira.unal.edu.co
168.176.194.48  palmi19448.palmira.unal.edu.co
168.176.194.49  palmi19449.palmira.unal.edu.co
168.176.194.50  palmi19450.palmira.unal.edu.co
168.176.194.51  palmi19451.palmira.unal.edu.co
168.176.194.52  palmi19452.palmira.unal.edu.co
168.176.194.53  palmi19453.palmira.unal.edu.co
168.176.194.54  palmi19454.palmira.unal.edu.co
168.176.194.55  palmi19455.palmira.unal.edu.co
168.176.194.56  palmi19456.palmira.unal.edu.co
168.176.194.57  palmi19457.palmira.unal.edu.co
168.176.194.58  palmi19458.palmira.unal.edu.co
168.176.194.59  palmi19459.palmira.unal.edu.co
168.176.194.60  palmi19460.palmira.unal.edu.co
168.176.194.61  palmi19461.palmira.unal.edu.co
168.176.194.62  palmi19462.palmira.unal.edu.co
168.176.194.63  palmi19463.palmira.unal.edu.co
168.176.194.64  palmi19464.palmira.unal.edu.co
168.176.194.65  palmi19465.palmira.unal.edu.co
168.176.194.66  palmi19466.palmira.unal.edu.co
168.176.194.67  palmi19467.palmira.unal.edu.co
168.176.194.68  palmi19468.palmira.unal.edu.co
168.176.194.69  palmi19469.palmira.unal.edu.co
168.176.194.70  palmi19470.palmira.unal.edu.co
168.176.194.71  palmi19471.palmira.unal.edu.co
168.176.194.72  palmi19472.palmira.unal.edu.co
168.176.194.73  palmi19473.palmira.unal.edu.co
168.176.194.74  palmi19474.palmira.unal.edu.co
168.176.194.75  palmi19475.palmira.unal.edu.co
168.176.194.76  palmi19476.palmira.unal.edu.co
168.176.194.77  palmi19477.palmira.unal.edu.co
168.176.194.78  palmi19478.palmira.unal.edu.co
168.176.194.79  palmi19479.palmira.unal.edu.co
168.176.194.80  palmi19480.palmira.unal.edu.co
168.176.194.81  palmi19481.palmira.unal.edu.co
168.176.194.82  palmi19482.palmira.unal.edu.co
168.176.194.83  palmi19483.palmira.unal.edu.co
168.176.194.84  palmi19484.palmira.unal.edu.co
168.176.194.85  palmi19485.palmira.unal.edu.co
168.176.194.86  palmi19486.palmira.unal.edu.co
168.176.194.87  palmi19487.palmira.unal.edu.co
168.176.194.88  palmi19488.palmira.unal.edu.co
168.176.194.89  palmi19489.palmira.unal.edu.co
168.176.194.90  palmi19490.palmira.unal.edu.co
168.176.194.91  palmi19491.palmira.unal.edu.co
168.176.194.92  palmi19492.palmira.unal.edu.co
168.176.194.93  palmi19493.palmira.unal.edu.co
168.176.194.94  palmi19494.palmira.unal.edu.co
168.176.194.95  palmi19495.palmira.unal.edu.co
168.176.194.96  palmi19496.palmira.unal.edu.co
168.176.194.97  palmi19497.palmira.unal.edu.co
168.176.194.98  palmi19498.palmira.unal.edu.co
168.176.194.99

Re: IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette 

In message

Re: IP Hijacking For Dummies

2017-06-05 Thread Aftab Siddiqui 
Same mobile number (+92-304-4000736 <+92%20304%204000736>) and address are
listed here for Blue Angel Hosting with only 1 peer AS206776.

aut-num:AS206349
as-name:blueangelhost
org:ORG-BPL5-RIPE
sponsoring-org: ORG-HGC2-RIPE
import: from AS206776 accept ANY
export: to AS206776 announce AS206349
import: from AS57344 accept ANY
export: to AS57344 announce AS206349
admin-c:SS30461-RIPE
tech-c: SS30461-RIPE
remarks:For information on "status:" attribute read
https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
status: ASSIGNED
mnt-by: RIPE-NCC-END-MNT
mnt-by: blueangelhost
mnt-routes: blueangelhost
created:2017-02-08T10:44:15Z
last-modified:  2017-02-08T10:44:15Z
source: RIPE

organisation:   ORG-BPL5-RIPE
org-name:   BlueAngelHost Pvt. Ltd
org-type:   OTHER
address:HOUSE NO 173 STREET NO 4 BLOCK E YOHANA ABAD, FEROZ
PUR ROAD, LAHORE, PAKISTAN
abuse-c:ACRO1320-RIPE
mnt-ref:MNT-NETERRA
mnt-ref:AZ39139-MNT
mnt-ref:MNT-LIR-BG
mnt-by: blueangelhost
created:2016-10-21T17:23:02Z
last-modified:  2016-11-01T21:03:31Z
source: RIPE # Filtered

person: Sunil Shahzad
address:HOUSE NO 173 STREET NO 4 BLOCK E YOHANA ABAD, FEROZ
PUR ROAD, LAHORE, PAKISTAN
phone:  +92-304-4000736
nic-hdl:SS30461-RIPE
mnt-by: blueangelhost
created:2016-10-21T17:19:19Z
last-modified:  2016-10-21T17:19:19Z
source: RIPE


On Tue, 6 Jun 2017 at 09:48 Ronald F. Guilmette 
wrote:

>
> Late last night, I put together the following simple annotated listing of
> the routes being announced by AS34991.
>
> Beyond the quite apparent fact that this "Bulgarian" network is announcing
> a bunch of routes for blocks of IPv4 space allocated to various parties
> within the nation of Columbia (including the National University thereof)
> the other thing that struck me about this was the apparent relevance of
> a company called "host-offshore.com".
>
> Looking at the web site for that, it provides only a single contact
> phone number which is unambiguously a -Pakistani- phone number.  But
> of course, that makes perfect sense, because Pakistan is just down the
> street from Bulgaria (NOT!)
>
> It did also strike me as passing strange that this company has apparently
> elected to not actually put its own web server, name servers, or mail
> server anywhere within its own duly allocated IPv4 blocks.
>
> Things got even a bit more interesting when I tried to actually order a
> server from this company.  Apparently, all of their virtual servers
> are "sold out".  However... and please, somebody check me on this...
> I guess that all of the browsers on all of the platforms I have ready
> access to are broken or something, because try as I might, I could never
> quite succeed at reaching any page on this company's web site where I
> could order up -any- kind of server, virtual, dedicated, or otherwise.
>
> So, you know, this hosting company appears somewhat unique and unusual,
> at least from where I am sitting, in the sense that it is perhaps the
> only such "hosting" company that I've ever run across in my travels that
> doesn't actually have -anything- for sale.
>
> Personally, I don't really give a rat's ass if this site is just a cover
> for some inept criminals, or for Panstani ISI, or for the FSB, or for
> some of Putin's patriots, or even if it belongs to the NSA.  But I cannot
> help but bemoan the fact that here we are, and it is 2017 already, and
> yet, whichever bunch of lame-ass jerks are in fact behind this thing,
> apparently aren't even capable of slapping together a cover web site
> that is more than just some entirely shallow and not very effective false
> front.
>
> As a researcher and student of such things, I just think that by now,
> in 2017, we should have a somewhat more skilled class of frauds, rogues,
> criminals and spies on the Internet.  I mean this is just baby stuff,
> and it only takes a couple of minutes and few clicks to see past such
> transparent gibberish.
>
> So c'mon all ye criminals, rogues and spys!  You need to up your game
> fer cryin' out loud!  At least present us with something a bit more
> challenging than -this- kind of very superflous crap.  I mean, have you
> no self-respect?
>
> Gssshhh!
>
>
> Regards,
> rfg
>
>
>
> ===
> 79.124.77.0/24  -- Bulgaria -- host-offshore.com
> 82.118.233.0/24 -- Blugaria -- wirelessnetbg.info
> 91.92.144.0/24  -- Bulgaria -- host-offshore.com
> 130.185.254.0/24 -- Belize? -- host-offshore.com - formerly routed by
> Verdina)
> 152.204.132.0/24 -- Columbia
> 152.204.133.0/24 -- Columbia
> 152.231.25.0/24 -- Columbia
> 152.231.28.0/24 -- Columbia
> 168.176.187.0/24 -- Columbia, National University of
> 168.176.192.0/24 --

IP Hijacking For Dummies

2017-06-05 Thread Ronald F. Guilmette 

Late last night, I put together the following simple annotated listing of
the routes being announced by AS34991.

Beyond the quite apparent fact that this "Bulgarian" network is announcing
a bunch of routes for blocks of IPv4 space allocated to various parties
within the nation of Columbia (including the National University thereof)
the other thing that struck me about this was the apparent relevance of
a company called "host-offshore.com".

Looking at the web site for that, it provides only a single contact
phone number which is unambiguously a -Pakistani- phone number.  But
of course, that makes perfect sense, because Pakistan is just down the
street from Bulgaria (NOT!)

It did also strike me as passing strange that this company has apparently
elected to not actually put its own web server, name servers, or mail
server anywhere within its own duly allocated IPv4 blocks.

Things got even a bit more interesting when I tried to actually order a
server from this company.  Apparently, all of their virtual servers
are "sold out".  However... and please, somebody check me on this...
I guess that all of the browsers on all of the platforms I have ready
access to are broken or something, because try as I might, I could never
quite succeed at reaching any page on this company's web site where I
could order up -any- kind of server, virtual, dedicated, or otherwise.

So, you know, this hosting company appears somewhat unique and unusual,
at least from where I am sitting, in the sense that it is perhaps the
only such "hosting" company that I've ever run across in my travels that
doesn't actually have -anything- for sale.

Personally, I don't really give a rat's ass if this site is just a cover
for some inept criminals, or for Panstani ISI, or for the FSB, or for
some of Putin's patriots, or even if it belongs to the NSA.  But I cannot
help but bemoan the fact that here we are, and it is 2017 already, and
yet, whichever bunch of lame-ass jerks are in fact behind this thing,
apparently aren't even capable of slapping together a cover web site
that is more than just some entirely shallow and not very effective false
front.

As a researcher and student of such things, I just think that by now,
in 2017, we should have a somewhat more skilled class of frauds, rogues,
criminals and spies on the Internet.  I mean this is just baby stuff,
and it only takes a couple of minutes and few clicks to see past such
transparent gibberish.

So c'mon all ye criminals, rogues and spys!  You need to up your game
fer cryin' out loud!  At least present us with something a bit more
challenging than -this- kind of very superflous crap.  I mean, have you
no self-respect?

Gssshhh!


Regards,
rfg



===
79.124.77.0/24  -- Bulgaria -- host-offshore.com
82.118.233.0/24 -- Blugaria -- wirelessnetbg.info
91.92.144.0/24  -- Bulgaria -- host-offshore.com
130.185.254.0/24 -- Belize? -- host-offshore.com - formerly routed by Verdina)
152.204.132.0/24 -- Columbia
152.204.133.0/24 -- Columbia
152.231.25.0/24 -- Columbia
152.231.28.0/24 -- Columbia
168.176.187.0/24 -- Columbia, National University of
168.176.192.0/24 -- Columbia, National University of
168.176.194.0/24 -- Columbia, National University of
168.176.218.0/24 -- Columbia, National University of
168.176.219.0/24 -- Columbia, National University of
179.1.71.0/24 -- Columbia
181.57.40.0/24 -- Columbia
186.113.13.0/24 -- Columbia
186.113.15.0/24 -- Columbia
186.147.230.0/24 -- Columbia
190.90.31.0/24 -- Columbia
190.90.88.0/24 -- Columbia
200.1.65.0/24 -- Columbia
200.14.44.0/24 -- Columbia
200.24.3.0/24 -- Columbia
200.24.5.0/24 -- Columbia