Hello dear MW users,
I write this message because my Wiki was attacked by a WWW BOT that substituted content of a discussion page with some links to malicious websites.
This is the vandalized page: http://web.math.unifi.it/beppolevi/index.php/Discussioni_utente:WikiSysop
and this is the page with infos about that "user": http://web.math.unifi.it/beppolevi/index.php/Speciale:Contributi/216.93.179....
All I know is its IP address, 216.93.179.108 .
I tried to query the WHOIS database with the prompt ================= whois -h whois.arin.net 216.93.179.108 =================
and I got
*********************************
OrgName: ServePath, LLC OrgID: SERVEP Address: 360 Spear Street. Address: Suite 200 City: San Francisco StateProv: CA PostalCode: 94105 Country: US
ReferralServer: rwhois://rwhois.servepath.com:4321
NetRange: 216.93.160.0 - 216.93.191.255 CIDR: 216.93.160.0/19 NetName: SERVEPATH NetHandle: NET-216-93-160-0-1 Parent: NET-216-0-0-0-0 NetType: Direct Allocation NameServer: NS.SERVEPATH.COM NameServer: NS1.SERVEPATH.COM Comment: RegDate: 2002-11-15 Updated: 2003-04-10
RNOCHandle: SN458-ARIN RNOCName: NOC, ServePath, ServePath RNOCPhone: +1-415-252-3600 RNOCEmail: noc@servepath.com
OrgTechHandle: SN458-ARIN OrgTechName: NOC, ServePath, ServePath OrgTechPhone: +1-415-252-3600 OrgTechEmail: noc@servepath.com ***************************************
The IP node is located in San Francisco (in front of the bridge, following Google Maps!!).
Of course I cannot be sure the cracker is actualli in California...
I tried to traceroute that IP with the prompt ================= traceroute 216.93.179.108 =================
and i got the path that packages do between my server (Florence, Italy) and San Francisco. Of course I'm interesting what is hidden behind the San Francisco node. I can I discover it?
This is the traceroute output:
******************************** traceroute to 216.93.179.108 (216.93.179.108), 30 hops max, 40 byte packets 1 10.0.0.2 (10.0.0.2) 8.861 ms 9.097 ms 10.847 ms 2 FI1IE05R.wind.it (151.6.145.65) 8.943 ms 9.246 ms * 3 FIAR-B01-Ge2-0.30.wind.it (151.6.69.65) 10.060 ms 9.180 ms 9.980 ms 4 151.6.7.29 (151.6.7.29) 15.232 ms 14.774 ms 15.806 ms 5 212.245.228.62 (212.245.228.62) 15.541 ms 15.081 ms 15.737 ms 6 so-8-1.car1.Milan1.Level3.net (213.242.65.29) 16.097 ms 16.010 ms 16.254 ms 7 ae-4-4.ebr2.Paris1.Level3.net (4.69.133.134) 33.281 ms 44.139 ms 36.062 ms 8 ae-5.ebr2.Washington1.Level3.net (4.69.132.113) 120.257 ms 118.710 ms 126.568 ms 9 ae-92-92.csw4.Washington1.Level3.net (4.69.134.158) 123.717 ms 114.246 ms 123.178 ms 10 ae-94-94.ebr4.Washington1.Level3.net (4.69.134.189) 121.347 ms 115.675 ms 124.935 ms 11 ae-4.ebr3.LosAngeles1.Level3.net (4.69.132.81) 188.811 ms 186.195 ms 181.196 ms 12 ae-2.ebr3.SanJose1.Level3.net (4.69.132.9) 186.953 ms 190.937 ms 196.877 ms 13 ae-93-93.csw4.SanJose1.Level3.net (4.69.134.238) 198.998 ms 189.511 ms 198.439 ms 14 ae-92-92.ebr2.SanJose1.Level3.net (4.69.134.221) 190.567 ms 188.511 ms 194.894 ms 15 ae-4-4.car2.SanFrancisco1.Level3.net (4.69.133.157) 188.257 ms 189.949 ms 189.967 ms 16 ae-11-11.car1.SanFrancisco1.Level3.net (4.69.133.153) 189.608 ms 332.129 ms 199.655 ms 17 YIPES-ENTER.car1.SanFrancisco1.Level3.net (63.211.150.226) 189.971 ms 190.346 ms 190.584 ms 18 border-core1-ge3-0.sfo2.servepath.net (209.213.192.123) 188.986 ms 188.788 ms 190.316 ms 19 customer-reverse-entry.208.96.31.8 (208.96.31.8) 190.327 ms 190.334 ms 189.487 ms 20 customer-reverse-entry.216.93.179.108 (216.93.179.108) 191.396 ms 190.199 ms 189.544 ms *********************************
Maybe the last two lines, with "customer-reverse-entry" can offer more hint for a more deep search.
I ask you to give me hints about how can I locate that cracker, and on how to avoid this vandalism in the future.
Best regards, Giovanni Gherdovich