All Archives / hijacked / 2003-08
<<< Date >>>
Permanent Link
Date: Sat, 2 Aug 2003 11:39:33 +1000
From: Roland Verlander
To: hijacked
Message-Id: <017101c35896$ef1d7650$14aadccb@COMPUTER1>
Subject: [hijacked] 203.30.26.0/23
Followups:

<20030804124316.GA76390@gweep.net>
[Conclusion: 203.30.26.0/23 is a Australian netblock which is being used by
child porn spammers and is being announced without permission by CAIS
AS3491. Traffic for this block ends up in the BtN/CAIS colocation facility
in Ashburn, Virginia.]

Child Porn spam domains darkcollections.net, cyber-lolita.com are now
residing in 203.30.26.0/23:

08/02/03 11:24:27 dns www.darkcollections.net
Canonical name: www.darkcollections.net
Addresses:
  203.30.27.65

08/02/03 11:24:59 dns www.cyber-lolita.com
Mail for www.cyber-lolita.com is handled by mail.clobex.com
Canonical name: cyber-lolita.com
Aliases:
  www.cyber-lolita.com
Addresses:
  203.30.26.21

APNIC says that this netblock belongs to an Australian software company,
nothing unusual here:

inetnum:      203.30.26.0 - 203.30.27.255
netname:      TERADACTYL1-AU
descr:        Teradactyl Software P/L
descr:        5 valda street
descr:        west pennant hills
descr:        NSW  2125
country:      AU
admin-c:      SE24-AP
tech-c:       SE24-AP
remarks:      ** Conversion note - reference 'SE6-AU' changed to 'SE24-AP'
remarks:      Record imported from AUNIC as part of AUNIC->APNIC migration
remarks:      Please see http://www.apnic.net/db/aunic/
mnt-by:       MAINT-AU-SE24-AP
changed:      n o b o d y @ a u n i c . n e t 19960724
changed:      a u n i c - t r a n s f e r @ a p n i c . n e t 20010525
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Steven Engel
address:      Netcommerce Solutions Pty Limited
address:      25 Sirius Rd
address:      Lane Cove
address:      NSW 2066
phone:        +61 4 09 038 630
phone:        +61 2 9427 8118
e-mail:       s t e v e @ n e t c o m m e r c e . c o m . a u
nic-hdl:      SE24-AP
remarks:      CEO
remarks:      This data originated from AUNIC, and was copied as part of
remarks:      the AUNIC to APNIC migration.  http://www.apnic.net/db/aunic/
remarks:      Original nic-hdl in AUNIC: SE6-AU
mnt-by:       MAINT-AU-SE24-AP
changed:      n o b o d y @ a u n i c . n e t 19970907
changed:      n o b o d y @ a u n i c . n e t 20000207
changed:      a u n i c - t r a n s f e r @ a p n i c . n e t 20010523
source:       APNIC

But let's see whose routing it:

route-server.cw.net>sh ip bgp 203.30.26.0
BGP routing table entry for 203.30.26.0/23, version 85006
Paths: (2 available, best #1)
  Not advertised to any peer
  3491
    208.172.146.29 from 208.172.146.29 (208.172.66.28)
      Origin IGP, localpref 100, valid, internal, best
      Originator: 208.172.66.28, Cluster list: 208.172.146.29,
208.173.54.57, 208.172.66.99, 208.172.66.101
  3491
    208.172.146.30 from 208.172.146.30 (208.172.66.28)
      Origin IGP, localpref 100, valid, internal
      Originator: 208.172.66.28, Cluster list: 208.172.146.29,
208.173.54.57, 208.172.66.99, 208.172.66.101
route-server.cw.net>

OrgName:    CAIS Internet
OrgID:      CAIS
Address:    6861 Elm Street, Third Floor
Address:    McLean, VA 22101 USA
City:
StateProv:
PostalCode:
Country:    US

ASNumber:   3491
ASName:     CAIS-ASN
ASHandle:   AS3491
Comment:
RegDate:    1994-03-21
Updated:    1996-07-29

TechHandle: CAIS-NOC-ARIN
TechName:   Network Operations Center
TechPhone:  +1-703-448-4470
TechEmail:  d o m r e g @ c a i s . n e t

Hmm, an American ISP routing an APNIC netblock!? This doesn't seem right!

Let's do a traceroute to this netblock:

route-server.cw.net>trace www.darkcollections.net
Translating "www.darkcollections.net"...domain server (64.41.189.214) [OK]

Type escape sequence to abort.
Tracing the route to www.darkcollections.net (203.30.27.65)

  1 209.1.169.178 0 msec 0 msec 0 msec
  2 bhr1-ge-6-0.SantaClarasc8.cw.net (208.172.147.57) 0 msec 0 msec 0 msec
  3 dcr2-so-3-0-0.SantaClara.cw.net (208.172.156.197) 4 msec 0 msec 0 msec
  4 dcr1-loopback.Atlanta.cw.net (208.172.66.99) 60 msec 64 msec 60 msec
  5 bpr1-so-0-0-0.AtlantaPaix.cw.net (208.172.75.110) 60 msec 64 msec 60
msec
  6 beyond-the-network.AtlantaPaix.cw.net (208.173.59.30) 64 msec 64 msec 60
mse
c
  7 ge5-3.colo01.ash01.pccwbtn.net (63.216.0.109) [AS 3491] 80 msec 80 msec
76 m
sec
  8 www.darkcollections.net (203.30.27.65) [AS 3491] 76 msec 80 msec 80 msec
route-server.cw.net>

colo01.ash01.pccwbtn.net is a colocation router located in Ashburn,
Virginia. darkcollections.net formerly resided at 63.219.176.53 within
Laurence Fagan's 63.219.176.32/27 netblock on CAIS via the same
colo01.ash01.pccwbtn.net router.

RADB shows that this netblock first started being announced in late May:

route:      203.30.26.0/23
descr:      BtN Customer
origin:     AS3491
mnt-by:     MAINT-AS3491
changed:    s a j w a n i @ p c c w b t n . c o m 20030531
source:     RADB
<<< Date >>>
This page was automatically generated, based on a complete record of postings made to the nominated list. Copyright issues, blame or gratitude belongs to the entity that wrote the content.