21 October 2001: See also "Safeweb Bandwidth Splitting:"
http://cryptome.org/safeweb-split.htm
21 October 2001: Add comments.
20 October 2001: Add comments.
19 October 2001: Add comment.
19 October 2001
64.124.150.130 is a SafeWeb IP address. See related:
http://cryptome.org/riaa-safeweb.htm
http://cryptome.org/riaa-anongo.htm
http://cryptome.org/safeweb-anongo.htm (updated 21 October 2001)
From: Dan
To: <[email protected]>
Subject: 64.124.150.130 Location
Date: Fri, 19 Oct 2001 00:28:33 -0400
64.124.150.130 appears to be located physically in the Bahamas as far as I can tell.
From: <[email protected]>
To: Dan
Sent: Friday, October 19, 2001 8:43 AM
Subject: Re: 64.124.150.130 Location
Now that is most interesting. I accept your word for it but would like to know how you find a physical location for an IP address beyond what is in the public records.
From: Dan
To: <[email protected]>
Subject: Re: 64.124.150.130 Location
Date: Fri, 19 Oct 2001 11:25:48 -0400
Funny you should mention locating a physical address that is publically located. I noticed something interesting that happened after I pinged the site "64.124.150.130": My Virus Scanning Software picked up a java script containing a Trojan type virus similar to "Seeker.gen". The originating web address for the java script was 206.138.18.108. An attempt to download the trojan comes from that address and original address in question. It seems that they are trying to hack into my pc and put a hidden URL for my browser to connect to, probably to monitor internet activity or to look at the HD.
But this is what I believe the SafeWeb primary server to be:
UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136 206.136.0.0 - 206.139.255.255 Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16 206.138.16.0 - 206.138.31.255
I think my activity must have spurred somone's curiosity there. I isolated the Seeker Virus that was downloaded to
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8A1I57AL\DEFAULT[1].JS
on my computer (EI5) before it could be activated. I them reconnected back to the net with a different IP address and lo and behold, the second I started my browser, the Java File tried to set up a connection to the site in the Bahamas and attempt a portscan, finally trying to settle on my local port 4816.
I deleted the java script program, checked for alterations of my system and registry in general as a precaution (there were none), removed hidden url's and unlinked files, deleted *Cookies/index.dat and them rebooted. There was no activity from that Bahamian location. I pinged the address 64.124.150.130 and then I got portscanned by 206.25.48.59, who is:
Cable & Wireless USA (NETBLK-CW-05BLK) CW-05BLK 206.24.0.0 - 206.31.255.255 The River Internet Access Co. (NETBLK-CW-206-25-48) CW-206-25-48 206.25.48.0 - 206.25.51.255 New Horizons Tucson (NETBLK-RIVR-NETBLK-NEWHORIZ4) RIVR-NETBLK-NEWHORIZ4 206.25.48.0 - 206.25.48.127
This site attempted to download the very same nasty little java script to my computer. It would seem that these two operations are in partnership.
I emailed the respective site administrators and told them to stop trying to hack my computer and their activity promptly stopped within minutes although I never got a response from them. I think that someone there was curious as to how I located a certain server. Funny part is that it was quite accidental that I did and only because they tried to take a look at me. It's actually an interesting tactic that I used to use years ago (it had nothing to do with computers, though) to find out who was snooping around: I found that if I snooped around enough eventually you will catch someone's attention and they will try to take a look at you and that's when they expose themselves.
Also, if you visit certain sites, you will almost invariably have someone attempt to put this seeker trojan into your temporary internet files. My virus scanner picked up an attempt to download the same virus from this site:
http://www.geocities.com/SiliconValley/Vista/8015/free.html
and it all led back again to the same server in the Bahamas.
I've been having a lot of fun with this as I haven't really worked with computers for about 15 years (remember OCL I and II? and IBM 36 Mainframes? Dinosaurs! LOL!) and things have changes quite a bit!
I'm almost curious enough to set up my old Gatway to Hell computer and let these guys in to see just what they are up to.
Date: Fri, 19 Oct 2001 11:31:55 -0700
From: V
To: [email protected]
Subject: safeweb trojan
[QUOTED TEXT]Funny you should mention locating a physical address that is publically located. I noticed something interesting that happened after I pinged the site "64.124.150.130": My Virus Scanning Software picked up a java script containing a Trojan type virus similar to "Seeker.gen". The originating web address for the java script was 206.138.18.108. An attempt to download the trojan comes from that address and original address in question. It seems that they are trying to hack into my pc and put a hidden URL for my browser to connect to, probably to monitor internet activity or to look at the HD. ...
[END QUOTE]
That's some nonsense right there, it doesn't work that way. The 64.124.150.130 isn't located in the Bahamas, it's at AboveNet in San Jose with the rest of Safeweb's equipment, just like they claim (this can be verified using VisualTraceroute, http://visualroute.visualware.com/).
Sure, it's possible that the folks of Safeweb whipped up a script that sends the IPs of machines that have pinged them, to a server in the Bahamas, and then engages in seriously shady behavior from there, but this scenario is highly unlikely.
Also, as you may have noticed, his use of 'download' is out of context: he most certainly means 'upload', and in this instance, it's a very important distinction, being that as far as browsers are concerned, they operate by rather different mechanisms. Downloading implies that he requested the files that were sent, whereas uploading implies that the other side initiated the transfer (browsers, and HTTP in general, do not allow for outside machines to upload files to your machine unless you've already sent a request for said files: essentially, the browser won't accept stuff from a sender that it isn't already listening for).
A more likely scenario:
At some point he visited a scam site or porn site that tried to install some dialer software (a common porn site scam: they use some ActiveX to install a dialer that calls up a POP in Rumania or the Bahamas or somesuch using their leased long-distance circuit, so they reap the tollcalls). This would account for some of the "trojan" stuff he found in his tempdir. While it is possible for someone to compromise his system security and surreptitiously implant files, it is seriously unlikely that someone would place them in his IE tempdir, as there are much better places to hide that sort of thing; the fact that he found it in his tempdir implies that a site he visited implanted the code there. It doesn't have to be a porn dialer though: plenty of other sites use malicious java and javascript and the like to reset your default startpage and other nonsense like that.
It's also worth noting that, due to the nature of their layout, most cablemodem networks are prone to port-scanning anyway, as they're easy targets.
I realize this isn't the most coherent attempt at rebuffing his claims, but just the same, I feel that post is some serious disinformation, "a little knowledge is a dangerous thing" etc., etc. A lot of stuff in the Safeweb thread has been; a lot of people with slim technical knowledge posting stuff that looks sorta impressive, but actually mostly devoid of fact or technical merit.
From: mike
Date: Sat, 20 Oct 2001 12:59:17 -0400
In the latest exchange on 64.124.150.130 on Cryptome, 'V' is absolutely correct.... Dan is just not technically proficient enough to understand what is happening.
The Javascript that he is referring to is technically a virus, although its one of the somewhat rare class of commercial (as opposed to malicious-only) virii out there.
For more info, see
http://www.symantec.com/avcenter/venc/data/js.alert.trojan.html
(although there are a number of other Javascript trojans besides this one).
I'd be careful about posting stuff like Dan's commentary -- I don't believe Dan is anything other than a well-meaning novice, but this kind of thing is especially pernicious because it has the patina of reality.
From: R
Date: 20 October 2001
I did some lockup's on some of the IP addresses that are on your site in posts related to Safeweb subject.
When I can be of any help to de-bug Safeweb SNAKE-OIL service, tell me what you may need, and I will do what I can, to help you.
Additionally, Safeweb is informing its users that Safeweb is keeping ALL logs for 10 days. The company owner, Mr Hsu did say 7 days.
"Privacy policy and handling of dataSafeWeb servers do not log any user content only incoming and outgoing IP addresses. This information is necessary for security reasons to see who is attacking us or abusing our network. The logs of incoming and outgoing IPs are stored separately and encrypted. After 7-10 days, they are destroyed in an unrecoverable manner. "
Additionally, CIA indicated that: [ Mr Christopher Tucker, chief strategic officer in In-Q-Tel ]
"but he didn't deny that Triangle Boy could be used in other aspects of the agency's mission, such as gathering information on terrorists and other operations it deems suspicious."
My comment: How info gathering on ANONYMOUS citizen may be linked to terrorist ? It is PROFILING in its pure form.
My comment: When the Safeweb purpose is to gather citizens information, it is not here to protect privacy of citizens, therefore Mr Hsu mantra as "leading privacy provider" has no merit, at least it may be applicable to protection of privacy for CIA and NSA assets, which we all know this already.
My comment: When Safeweb is using JAVA + JAVA SCRIPTS as the condition of they SPY service, by defeat all they service is UN-SECURE by definition. The is no need to request as the condition to turn ON Java & Java Scripts for use of SSL. When this is REAL privacy service, these UN-SECURE futures must be turned OFF, but Safeweb is just doing the opposite. Normally these 2 futures are use for the enhancement purposes, but at the flick of the finger, both services may be use to create real sinister damages to user environment. This risk is REAL and very well documented, not to mention that it is in use for that sinister purposes. The people who will be the victims of these services are people who are preferring HTML emails instead of TEXT, and normally they would be the users of Safeweb service.
My comment: From what they are saying and providing, that is the another NSA, CIA and maybe FBI service that is equivalent to Swiss Crypto AG scandal.
My comment: When the sole purpose of keeping logs for 10 days [ 2 business weeks! ] is to protect itself against attacks, its very stupid to wait 2 weeks & respond to attack when company is attacked just right NOW. When DoS or DDoS is instigated NOW, it is appropriate to keep logs NOW or in the future, of ATACKERS and NOT privacy seekers. We don't need space science doctorate to distinguish between ATTACKERS and PRIVACY protection users.
My comment: Isn't CIA part of DoD ?
Isn't CIA part of USA Government ?
What is the primary difference between DoD & CIA & USA Government ?
Mr Hsu comment was just funny.
My comment: Doesn't he understand that his company is doing excellent business for CIA & NSA, but his logging and logs retention for the period of 10 days [ how you, Mr Young could be sure that logs are not keep for longer and indefinite period ? ] is against normally acceptable privacy protection services ?
My comment: The spin - off and extensive PR created by really stupid people who don't have any knowledge what real privacy should mean, and how that real privacy needs to be achieved, are helping pigs to be sloughed in abattoir house.
My comment: The real web surfing privacy protection company, ZKS, which has been forced to close this type of service, provided its service base on dependable anonymous mix service. ZKS did not provide SSL proxy, as the Safeweb company is providing and is claiming protection of user privacy by logging all connection details, in IP & out IP [ coming FROM, going TO addresses ].
My comment: When ZKS started its service, CIA & NSA didn't ask them to secure CIA & NSA assets. As a mater of facts, CIA and NSA should & would allocate $1 mil dollars to purchase 20,000 valid licensees for ZKS services. What CIA & NSA would get, would be the most secure and un-traceable web surfing service, not mere SSL proxy, but they didn't that. Why they didn't ? The answer is very simple, CIA & NSA primary reason to sign Safeweb was to spy on innocent and un-informed citizen, with secondary purpose, to protect they own tracks. I don't believe in this secondary reason. Why ? Because we have much better and completely un-traceable ways of communications, SSL proxy is not one of them. The SSL proxy is secure between end points, but it is not un-traceable, Safeweb is keeping all logs for 10 days.
My comment: When logs are kept, logs can be stolen. When logs can be stolen, logs can be compromised. The professionals, SPYS, at CIA & NSA know what it says in they SPY BOOKS.
In short, it's very intelligent & high class SNAKE - OIL, equivalent to Crypto AG.
=========================
The trace information that may be of interest to you.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
dns 64.124.150.130
64.124.150.130 has dubious reverse DNS of 64.124.150.130.safeweb.com - which is a valid hostname, but not one that resolves to 64.124.150.130
Trying whois -h whois.arin.net 64.124.150.130
Abovenet Communications, Inc. (NETBLK-ABOVENET) 50 W. San Fernando Street, Suite 1010 San Jose, CA 95113 US
Netname: ABOVENET Netblock: 64.124.0.0 - 64.125.255.255 Maintainer: ABVE
Coordinator: Metromedia Fiber Networks/AboveNet (NOC41-ORG-ARIN) [email protected] 408-367-6666 Fax- 408-367-6688 Domain System inverse mapping provided by: NS.ABOVE.NET 207.126.96.162 NS3.ABOVE.NET 207.126.105.146 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Trying whois -h whois.arin.net 64.124.150.130
Abovenet Communications, Inc. (NETBLK-ABOVENET) 50 W. San Fernando Street, Suite 1010 San Jose, CA 95113 US Netname: ABOVENET Netblock: 64.124.0.0 - 64.125.255.255 Maintainer: ABVE Coordinator: Metromedia Fiber Networks/AboveNet (NOC41-ORG-ARIN) [email protected] 408-367-6666 Fax- 408-367-6688 Domain System inverse mapping provided by: NS.ABOVE.NET 207.126.96.162 NS3.ABOVE.NET 207.126.105.146 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
traceroute 64.124.150.130
3 198.32.146.21 2.751 ms mae-la.above.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos 4 216.200.0.166 14.580 ms sjc1-lax1-oc3.sjc1.above.net [AS6461] Primary AS for Abovenet 5 216.200.0.178 14.522 ms core1-sjc1-oc48.sjc2.above.net [AS6461] Primary AS for Abovenet 6 208.184.102.202 14.647 ms core4-core1-oc48.sjc2.above.net [AS6461] Primary AS for Abovenet 7 208.184.102.178 31.452 ms sea1-sjc2-oc48-2.sea1.above.net [AS6461] Primary AS for Abovenet 8 216.200.127.65 101.633 ms lga1-sea1-oc48.lga1.above.net [AS6461] Primary AS for Abovenet 9 208.185.0.246 101.964 ms core1-lga1-oc192.lga2.above.net [AS6461] Primary AS for Abovenet 10 216.200.127.154 101.361 ms main1colo45-core1-oc48.lga2.above.net [AS6461] Primary AS for Abovenet 11 208.184.48.173 110.696 ms 208.184.48.173.safeweb.com (Fake rDNS) [AS6461] Primary AS for Abovenet 12 10.100.0.2 111.820 ms DNS error 13 *** failed 14 *** failed 15 *** aborting
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 206.138.18.108
206.138.18.108 has no reverse DNS configured.
Trying whois -h whois.arin.net 206.138.18.108
UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136 206.136.0.0 - 206.139.255.255 Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16 206.138.16.0 - 206.138.31.255 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. Trying whois -h whois.arin.net 206.138.18.108 UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136 206.136.0.0 - 206.139.255.255 Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16 206.138.16.0 - 206.138.31.255 To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.
traceroute 206.138.18.108
3 198.172.117.161 2.784 ms DNS error [AS2914] Verio 4 129.250.29.126 3.582 ms ge-6-2-0.r00.lsanca01.us.bb.verio.net [AS2914] Verio 5 129.250.2.25 12.971 ms p4-2-0-0.r01.snjsca03.us.bb.verio.net [AS2914] Verio 6 129.250.2.62 13.143 ms p16-3-0-0.r04.snjsca03.us.bb.verio.net [AS2914] Verio 7 129.250.3.34 16.49 ms p4-0-1-0.r00.scrmca01.us.bb.verio.net [AS2914] Verio 8 129.250.9.98 16.915 ms p4-0.uunet.scrmca01.us.bb.verio.net [AS2914] Verio 9 152.63.52.250 17.138 ms 0.so-2-0-0.XL1.SAC1.ALTER.NET (DNS error) [AS701] Alternet 10 152.63.53.250 16.620 ms 0.so-3-0-0.TL1.SAC1.ALTER.NET (DNS error) [AS701] Alternet 11 152.63.145.229 91.640 ms 0.so-7-0-0.TL1.DCA6.ALTER.NET (DNS error) [AS701] Alternet 12 152.63.38.70 91.348 ms 0.so-6-0-0.XL1.DCA6.ALTER.NET (DNS error) [AS701] Alternet 13 152.63.38.86 91.832 ms 0.so-7-0-0.XR1.DCA6.ALTER.NET (DNS error) [AS701] Alternet 14 152.63.33.13 92.603 ms 185.at-5-0-0.XR1.DCA1.ALTER.NET (DNS error) [AS701] Alternet 15 152.63.35.237 92.971 ms 195.ATM6-0.GW5.DCA1.ALTER.NET (DNS error) [AS701] Alternet 16 206.138.16.101 646.430 ms DNS error [AS701] Alternet 17 206.138.16.34 653.594 ms DNS error [AS701] Alternet 18 *** failed 19 *** failed 20 *** aborting
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 64.124.150.130.safeweb.com
64.124.150.130.safeweb.com resolves to 65.107.16.45
www.64.124.150.130.safeweb.com resolves to 65.107.16.45
Trying whois -h whois.arin.net 64.124.150.130.safeweb.com
No match for "64.124.150.130.SAFEWEB.COM".
whois -h magic 65.107.16.45
64.124.150.130.safeweb.com resolves to 65.107.16.45
Trying whois -h whois.arin.net 65.107.16.45
Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6) 1400 Parkmoor Avenue San Jose, CA 95126-3429 US Netname: CONCENTRIC-BLK6 Netblock: 65.104.0.0 - 65.107.255.255 Maintainer: CRC Coordinator: DNS and IP ADMIN (DIA-ORG-ARIN) [email protected] 408) 817-2800 Fax- - - (408) 817-2630 Domain System inverse mapping provided by: NAMESERVER1.CONCENTRIC.NET 207.155.183.73 NAMESERVER2.CONCENTRIC.NET 207.155.184.72 NAMESERVER3.CONCENTRIC.NET 206.173.119.72 NAMESERVER.CONCENTRIC.NET 207.155.183.72 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
traceroute 64.124.150.130.safeweb.com
64.124.150.130.safeweb.com resolves to 65.107.16.45
3 198.32.146.12 3.295 ms mae-la.px.concentric.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos 4 64.220.0.82 3.196 ms ge10-0.tran2.lax-ca.us.xo.net [AS2828] XO Communications, Inc. 5 64.0.0.9 11.633 ms p1-0.tran2.pal-ca.us.xo.net [AS2828] XO Communications, Inc. 6 64.220.0.19 11.60 ms ge0-0.dist1.pal-ca.us.xo.net [AS2828] XO Communications, Inc. 7 64.0.0.110 11.620 ms DNS error [AS2828] XO Communications, Inc. 8 65.105.231.2 13.898 ms DNS error [AS2828] XO Communications, Inc. 9 65.107.32.30 19.853 ms DNS error [AS2828] XO Communications, Inc. 10 *** failed 11 *** failed 12 *** aborting
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 65.107.16.45
65.107.16.45 has no reverse DNS configured.
Trying whois -h whois.arin.net 65.107.16.45
Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6) 1400 Parkmoor Avenue San Jose, CA 95126-3429 US Netname: CONCENTRIC-BLK6 Netblock: 65.104.0.0 - 65.107.255.255 Maintainer: CRC Coordinator: DNS and IP ADMIN (DIA-ORG-ARIN) [email protected] (408) 817-2800 Fax- - - (408) 817-2630 Domain System inverse mapping provided by: NAMESERVER1.CONCENTRIC.NET 207.155.183.73 NAMESERVER2.CONCENTRIC.NET 207.155.184.72 NAMESERVER3.CONCENTRIC.NET 206.173.119.72 NAMESERVER.CONCENTRIC.NET 207.155.183.72 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Trying whois -h whois.arin.net 65.107.16.45
Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6) 1400 Parkmoor Avenue San Jose, CA 95126-3429 US Netname: CONCENTRIC-BLK6 Netblock: 65.104.0.0 - 65.107.255.255 Maintainer: CRC Coordinator: DNS and IP ADMIN (DIA-ORG-ARIN) [email protected] (408) 817-2800 Fax- - - (408) 817-2630 Domain System inverse mapping provided by: NAMESERVER1.CONCENTRIC.NET 207.155.183.73 NAMESERVER2.CONCENTRIC.NET 207.155.184.72 NAMESERVER3.CONCENTRIC.NET 206.173.119.72 NAMESERVER.CONCENTRIC.NET 207.155.183.72 ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
traceroute 65.107.16.45
3 198.32.146.12 3.55 ms mae-la.px.concentric.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos 4 64.220.0.82 3.303 ms ge10-0.tran2.lax-ca.us.xo.net [AS2828] XO Communications, Inc. 5 64.0.0.9 11.79 ms p1-0.tran2.pal-ca.us.xo.net [AS2828] XO Communications, Inc. 6 64.220.0.19 11.8 ms ge0-0.dist1.pal-ca.us.xo.net [AS2828] XO Communications, Inc. 7 64.0.0.110 11.737 ms DNS error [AS2828] XO Communications, Inc. 8 65.105.231.2 13.713 ms DNS error [AS2828] XO Communications, Inc. 9 65.107.32.30 17.822 ms DNS error [AS2828] XO Communications, Inc. 10 *** failed 11 *** failed 12 *** aborting oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
From: M
Date: 20 October 2001
How to determine physical location?
The answer is simple; its impossible.
When law-enforcement agencies trace users they often go to the ISPs directly, and the ISP can then determine physical location through their own (non-standard, non-public) databases. These databases can assoicate a IP with a certain time/phonenumber for dialup users (and the the telephone company can trace the phone numer to a physical location), and with a certain physical plug for permanently connected users.
Remark, say a computer goes wild and starts spamming something.gov with a DoS-attack. It stamps every packet with a 0.0.0.0 source address. Can it be traced? Sure. But this will exteremly hard for "normal users" or even for "normal admins". The way to go would be to go back router by router and see from where the stream is coming.
Also, if I really wanted to be anonymous I would not connect from any account with my name on it. In Sweden you can just enter any public library and get free anon access. Or a school? Or just open a phonelines hub (in Sweden they are everywhere along the streets if you know what to look for). The thing is, it is and will always be impossible to trace a user, and a server goes pretty much under the same rules.
Note, the physical location used by visualroute software is based entirely on an optional field in the global whois database (not 100% sure, I could be a field in the ARIN database too). This field allows any admin to enter long/lat of his server.
So, anyway the bottomline is that it's really impossible to tell weather the admin is telling the truth or not. In this poarticular case I do not think your "hacker" even went this far, as you can figure it out by just doing a simple web-based query on the IP.
Surf to www.arin.net (American Registry for Internet Numbers) (or to www.ripe.net for Europe)
or directly to;
http://www.arin.net/whois/
And enter the "Bahamas-IP", this will display:
UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136 206.136.0.0 - 206.139.255.255 Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16 206.138.16.0 - 206.138.31.255
So, this guy is very likely just guessing (after seeing the (Bahamas) note in the whois field). I cant see how he can be any more certain than you or me.
Date: Sat, 20 Oct 2001 22:20:11 -0700 (PDT)
From: J
To: [email protected]
Subject: Safeweb, etc.
In regards to the safeweb ip's being forwarded to the bahamas, it is possible, but incorrect on this server. Here is what that win2k server in the bahamas is doing:
206.25.48.59
http:\\206.25.48.59\ Yields w32.Nimda.A@mm(html) W32.Nimda.enc w32.Nimda.A@mm(dr)
One's an internet email and one http virii. Standard stuff. The server is a windows 2000 server with all the trimmings:
Email, http, https, netbios, mailserver, iis5 even,
25 :CONNECT END PORT INFO 80 :CONNECT END PORT INFO 110 :CONNECT END PORT INFO 135 :CONNECT END PORT INFO 139 :CONNECT END PORT INFO 443 :CONNECT END PORT INFO 445 :CONNECT END PORT INFO
Win2k server determined by packet personality. Oxymoron in this context.
Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance Server Beta3
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=65D12%TS=0) T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT) T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=) T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N)
They are even nice enough to have a little ftp site:
Connecting to 206.25.48.59, Port 21 (#1) Connected. Waiting for response. 220 A97DC6Freers2 Microsoft FTP Service (Version 5.0). USER anonymous 331 Anonymous access allowed, send identity (e-mail name) as password. PASS xxxxxx 230 Anonymous user logged in. SYST 215 Windows_NT version 5.0 REST 100 350 Restarting at 100. REST 0 350 Restarting at 0. PWD 257 "/" is current directory. TYPE A 200 Type set to A New Horizons Tucson c/o The River, 40 N Swan Rd Tucson, AZ 85711 US
So, I think contestant #1 may have other issues going on rather than safeweb. The above server box is just borked. A pub-maker's paradise.
This doesn't mean that safeweb is safe. In fact there is 100% certainty that it's not since you have no control over your data. It's just something to be used at work when your surfing porn or whatever floats your boat.