Hey all
I just got pinged by someone at 139.92.186.105 loooking to see if I have Backorifice installed(according to BID).How do I find out who this is. BID gave me no more information than the address.

Someone at IBM Netherlands. www.psacake.com/web/eg.asp (http://www.psacake.com) is where I found out.

[This message has been edited by Buji (edited 03-23-2000).]

Hey Buji
Thanks for the info and link.
Still, I wonder why IBM would be using Backorifice????

here's who owns that IP and their address, phone numbers are there to if you want to go thru the trouble of calling them.


IBM Netherlands N.V. (NET-IBMNETHERLANDS)
Watsonweg 2
1423 ND Uithoorn
The Netherlands

Netname: IBMNETHERLANDS
Netblock: 139.92.0.0 - 139.92.255.255

Coordinator:
EUIBMNIC (EUI-ORG-ARIN) euibmnic@NL.IBM.COM
+49 79 322 8053

Domain System inverse mapping provided by:

NS.UK.IBM.NET 152.158.16.48
NS.DE.IBM.NET 152.158.2.48
NS.NL.IBM.NET 152.158.36.48



inetnum: 139.92.0.0 - 139.92.255.255
netname: EU-IBM-139-92-16
descr: IBM Global Network Europe
descr: OPENNET IP network
descr: Provider Local Registry
country: EU
admin-c: NI9-RIPE
tech-c: ENI1-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
changed: dolderer@nic.de 19931227
changed: hostmaster@ripe.net 19980123
changed: hostmaster@ripe.net 19990806
source: RIPE

role: NIC IBM
address: AT&T Global Network Services
address: Boerhaavelaan 11
address: 2713 HA Zoetermeer
address: The Netherlands
phone: +31 79 322 3474
phone: +31 79 322 2966
phone: +31 79 322 8737
phone: +31 79 322 6009
fax-no: +31 79 322 4411
e-mail: euibmipa@nl.ibm.com
e-mail: euibmnic@nl.ibm.com
trouble: Mailbox for Internet Abuse reports: abuse@ibm.net
trouble: Mailbox for Internet Spam reports: postmaster@ibm.net
admin-c: LO436-RIPE
admin-c: RB1243-RIPE
tech-c: LO436-RIPE
nic-hdl: NI9-RIPE
remarks: Global object for the AGNS / EMEA OMR Team
remarks: Contact: Liliane Ortega & Geert Mol (3474)
remarks: Mailbox for IP(X) Addressing issues: euibmipa@nl.ibm.com
remarks: Mailbox for Domain Name Registration: euibmnic@nl.ibm.com
remarks: Mailbox for Internet Abuse reports: abuse@ibm.net
remarks: Mailbox for Internet Spam reports: postmaster@ibm.net
notify: euibmipa@nl.ibm.com
notify: hm-dbm-msgs@ripe.net
mnt-by: EU-IBM-NIC-MNT
changed: minas@nl.ibm.com 20000303
source: RIPE

I would send an email to that abuse address that smunzli posted. Tell the the time and ip and any other details of the attack.

Anyone can subscribe to the Internet service supplied by IBM/AT&T over IBM.NET . If the offending ping was from IBM.COM then the originating system would be internal to IBM. I find that unlikely as messing about like that is a firable offence. I get a variety of pings for open ports and trojans daily (5 or 10 per day). I have given up on the trying to notify the ISP's as any SERIOUS hacker is masking the source IP address and wont get caught by anything that is less than a concerted effort on the part of the ISP. These pings seem to go in cycles... I noticed a real increase in the volume of them just before the DOS attacks started on Yahoo and E-Bay. Did anyone else notice this?

there is little use in reporting these scans, their isp won't do anything......these scans are like walking through a parking lot and looking in car windows, if nothing has been done illegally there is nothing they can do.......now if they compromised your system because you had back orifice installed, that is where you have a case

hmmm how do you know you are beeing ping ed or somtin? thx

Hey Rotax
Im using a firewall called BlackIce Defender (BID). It notifies me when my system is "scanned".In this case BID gave me type of attack and the IP address of the "attacker" .I paid $40 bucks for it but you can get a great firewall for FREE by downloading ZoneAlarm 2.0 .

I use Atgaurd firewall and it picks up attempts to use Back Orifice, Netbus, Schoolbus and Backdoor. When I feel like playing games with the would-be hackers I run a trace and on one occasion had the joy to discover that the hacker had the schoolbus server trojan running - he had a taste of his own medicine http://www.sysopt.com/forum/redface.gif)
I find that sending all of the info from the trace (Neotrace) to the isp gets a positive response, even if it only acts as a temporary inconvenience to the hacker. I know quite a lot of hackers, and a lot of them hack only for the challenge and experience but do no damage, unfortunately there are some that are maliscious and give the rest a bad name.