The below email exchange may be of interest to some of you. The practical upshot is that it appears "the 91.201.64.0/22 range was hijacked and should be included into the DROP list". As an interesting aside, quoting a friend: "the original company (that performed dangerous waste utilization) may have been a shady thing in and of itself (..) what most companies calling themselves "ecoservice" (with variations) do is take money for "safe utilisation" of hazardous waste, and then dump it in some old quarry out in the remote (or not so remote) corner of a forest or other natural area (..) they always have criminal links and protection from corrupts officials (often co-owners) and security/law enforcement services"
From: Jeroen van Aart
there is nothing but crap coming from 91.201.64.0/24. Amongst other things attempts to spam (through) wordpress sites.
inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd
Don - name of the nearby large river. "EkoService" means ecological service.
country: RU org: ORG-DS41-RIPE
person: Haralevich Piotr address: novocherkassk, ul stremyannaya d.6 mnt-by: MNT-DONECO phone: +74951000000
nic-hdl: HP2220-RIPE changed: admin@donecoserv.ru 20101117 The company performed dangerous waste utilization: http://donekoservis.alloy.ru/contacts/ http://www.idbo.ru/view/72321/ But domains donecoserv.ru and donekoservis.ru don't exist anymore. traceroute 91.201.64.14 ... 11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms 66.182 ms 12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms 47.715ms 13 195.2.240.234 (195.2.240.234) 48.235 ms 48.546 ms 48.664 ms 14 ajursrv.parohod.biz (95.215.0.206) 47.957 ms 47.752 ms 47.606 ms 15 mail.rx-helps.com (91.201.64.14) 48.206 ms 48.302 ms 48.237 ms SPb (Sankt-Peterburg) is 1500 km from Novocherkassk. parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider fraud, spamming websites and search engines). Also, see http://support.clean-mx.de/clean-mx/viruses.php?email=admin@donecoserv.ru&response= http://www.spambotsecurity.com/forum/viewtopic.php?f=7&t=795 http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedssho... | January 3, 2011 ... | inetnum: 91.201.64.0 91.201.67.255 | netname: Donekoserv | descr: DonEkoService Ltd | country: RU | org: ORG-DS41-RIPE ... | organisation: ORG-DS41-RIPE | org-name: DonEko Service | org-type: OTHER | address: novocherkassk, ul stremyannaya d.6 | e-mail: admin@bulletproof-web.com Note "bulletproof". Therefore, the 91.201.64.0/22 range was hijacked and should be included into the DROP list.
It does not sound as though the original holders of the space know/care - if they are out of business, they probably don't care. If they are actively involved in it, then it's not a hijack. If they haven't updated their company name/website, then it's not a hijack, just poor record keeping. If you suspect the address space is abandoned, or hijacked, report it to RIPE. It may not get deallocated and reassinged until a few months after the bill stops getting paid. --Heather -----Original Message----- From: Jeroen van Aart [mailto:jeroen@mompl.net] Sent: Friday, August 31, 2012 2:39 PM To: NANOG list Subject: 91.201.64.0/22 hijacked? The below email exchange may be of interest to some of you. The practical upshot is that it appears "the 91.201.64.0/22 range was hijacked and should be included into the DROP list". As an interesting aside, quoting a friend: "the original company (that performed dangerous waste utilization) may have been a shady thing in and of itself (..) what most companies calling themselves "ecoservice" (with variations) do is take money for "safe utilisation" of hazardous waste, and then dump it in some old quarry out in the remote (or not so remote) corner of a forest or other natural area (..) they always have criminal links and protection from corrupts officials (often co-owners) and security/law enforcement services"
From: Jeroen van Aart
there is nothing but crap coming from 91.201.64.0/24. Amongst other things attempts to spam (through) wordpress sites.
inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd
Don - name of the nearby large river. "EkoService" means ecological service.
country: RU org: ORG-DS41-RIPE
person: Haralevich Piotr address: novocherkassk, ul stremyannaya d.6 mnt-by: MNT-DONECO phone: +74951000000
nic-hdl: HP2220-RIPE changed: admin@donecoserv.ru 20101117 The company performed dangerous waste utilization: http://donekoservis.alloy.ru/contacts/ http://www.idbo.ru/view/72321/ But domains donecoserv.ru and donekoservis.ru don't exist anymore. traceroute 91.201.64.14 ... 11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms 66.182 ms 12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms 47.715ms 13 195.2.240.234 (195.2.240.234) 48.235 ms 48.546 ms 48.664 ms 14 ajursrv.parohod.biz (95.215.0.206) 47.957 ms 47.752 ms 47.606 ms 15 mail.rx-helps.com (91.201.64.14) 48.206 ms 48.302 ms 48.237 ms SPb (Sankt-Peterburg) is 1500 km from Novocherkassk. parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider fraud, spamming websites and search engines). Also, see http://support.clean-mx.de/clean-mx/viruses.php?email=admin@donecoserv.ru&response= http://www.spambotsecurity.com/forum/viewtopic.php?f=7&t=795 http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedssho... | January 3, 2011 ... | inetnum: 91.201.64.0 91.201.67.255 | netname: Donekoserv | descr: DonEkoService Ltd | country: RU | org: ORG-DS41-RIPE ... | organisation: ORG-DS41-RIPE | org-name: DonEko Service | org-type: OTHER | address: novocherkassk, ul stremyannaya d.6 | e-mail: admin@bulletproof-web.com Note "bulletproof". Therefore, the 91.201.64.0/22 range was hijacked and should be included into the DROP list.
I was wondering if there is a repository with references of prefix hijack cases. We would like to use such information for a BGP anomaly detection analysis that we are carrying out in our research centre. Unfortunately, apart from the well known cases (Youtube-Pakistan case in 2008 and the China case in 2010, neither of which is an actual hijack, since they both took place due to misconfigurations and not due to malicious cyber attacks) there is lack of ground truth information that can be used for the validation of our techniques. Thank you very much in advance, George . On 4/9/2012 11:34 ??, Schiller, Heather A wrote:
It does not sound as though the original holders of the space know/care - if they are out of business, they probably don't care. If they are actively involved in it, then it's not a hijack. If they haven't updated their company name/website, then it's not a hijack, just poor record keeping.
If you suspect the address space is abandoned, or hijacked, report it to RIPE. It may not get deallocated and reassinged until a few months after the bill stops getting paid.
--Heather
-----Original Message----- From: Jeroen van Aart [mailto:jeroen@mompl.net] Sent: Friday, August 31, 2012 2:39 PM To: NANOG list Subject: 91.201.64.0/22 hijacked?
The below email exchange may be of interest to some of you. The practical upshot is that it appears "the 91.201.64.0/22 range was hijacked and should be included into the DROP list".
As an interesting aside, quoting a friend:
"the original company (that performed dangerous waste utilization) may have been a shady thing in and of itself (..) what most companies calling themselves "ecoservice" (with variations) do is take money for "safe utilisation" of hazardous waste, and then dump it in some old quarry out in the remote (or not so remote) corner of a forest or other natural area (..) they always have criminal links and protection from corrupts officials (often co-owners) and security/law enforcement services"
From: Jeroen van Aart there is nothing but crap coming from 91.201.64.0/24. Amongst other things attempts to spam (through) wordpress sites. inetnum: 91.201.64.0 - 91.201.67.255 netname: Donekoserv descr: DonEkoService Ltd Don - name of the nearby large river. "EkoService" means ecological service.
country: RU org: ORG-DS41-RIPE
person: Haralevich Piotr address: novocherkassk, ul stremyannaya d.6 mnt-by: MNT-DONECO phone: +74951000000 nic-hdl: HP2220-RIPE changed: admin@donecoserv.ru 20101117
The company performed dangerous waste utilization: http://donekoservis.alloy.ru/contacts/ http://www.idbo.ru/view/72321/ But domains donecoserv.ru and donekoservis.ru don't exist anymore.
traceroute 91.201.64.14 ... 11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms 66.182 ms 12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms 47.715ms 13 195.2.240.234 (195.2.240.234) 48.235 ms 48.546 ms 48.664 ms 14 ajursrv.parohod.biz (95.215.0.206) 47.957 ms 47.752 ms 47.606 ms 15 mail.rx-helps.com (91.201.64.14) 48.206 ms 48.302 ms 48.237 ms
SPb (Sankt-Peterburg) is 1500 km from Novocherkassk. parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider fraud, spamming websites and search engines).
Also, see http://support.clean-mx.de/clean-mx/viruses.php?email=admin@donecoserv.ru&response= http://www.spambotsecurity.com/forum/viewtopic.php?f=7&t=795
http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedssho... | January 3, 2011 ... | inetnum: 91.201.64.0 91.201.67.255 | netname: Donekoserv | descr: DonEkoService Ltd | country: RU | org: ORG-DS41-RIPE ... | organisation: ORG-DS41-RIPE | org-name: DonEko Service | org-type: OTHER | address: novocherkassk, ul stremyannaya d.6 | e-mail: admin@bulletproof-web.com
Note "bulletproof".
Therefore, the 91.201.64.0/22 range was hijacked and should be included into the DROP list.
participants (3)
-
Georgios Theodoridis
-
Jeroen van Aart
-
Schiller, Heather A