From: dtk@all.net
Reply-to: dtk@all.net
Organization: Deception ToolKit Mailing List
Subject: DTK Mailing List 19990603
<pre>---------------------------------------------
From fc Thu Jun  3 23:23:28 1999
Subject: Examples of an attempted entry...

The latest scan sets now include still more CGI scripts...

gameslog:
'1999/06/03 20:04:51','Allow','194.134.131.175','unknown','thttpd','Internet','',''
'1999/06/03 20:05:13','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/phf HTTP/1.',''
'1999/06/03 20:05:24','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/Count.cgi HTTP/1.',''
'1999/06/03 20:05:32','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/test-cgi HTTP/1.',''
'1999/06/03 20:05:41','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/php.cgi HTTP/1.',''
'1999/06/03 20:05:52','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/handler HTTP/1.',''
'1999/06/03 20:06:01','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/webgais HTTP/1.',''
'1999/06/03 20:06:13','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/websendmail HTTP/1.',''
'1999/06/03 20:06:22','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/webdist.cgi HTTP/1.',''
'1999/06/03 20:06:33','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/faxsurvey HTTP/1.',''
'1999/06/03 20:06:40','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/htmlscript HTTP/1.',''
'1999/06/03 20:06:51','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/pfdisplay.cgi HTTP/1.',''
'1999/06/03 20:07:00','Allow','194.134.131.175','root','thttpd','Internet','GET /cgi-bin/perl.exe HTTP/1.',''
'1999/06/03 20:07:12','Allow','194.134.131.175','unknown','thttpd','Internet','GET /cgi-bin/wwwboard.pl HTTP/1.',''

DTKlog:
'194.134.131.175', '25', '25', '1999/06/03 20:04:51', '6565', '6565', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown in.smtpd unknown'
'194.134.131.175', '21', '21', '1999/06/03 20:04:51', '6566', '6566', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown wu.ftpd unknown'
'194.134.131.175', '21', '21', '1999/06/03 20:04:52', '6566', '6566', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit'
'194.134.131.175', '110', '110', '1999/06/03 20:04:52', '6564', '6564', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown in.pop3d unknown'
'194.134.131.175', '110', '110', '1999/06/03 20:04:52', '6564', '6564', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit'
'194.134.131.175', '25', '25', '1999/06/03 20:04:57', '6565', '6565', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit'
'194.134.131.175', '110', '110', '1999/06/03 20:05:05', '6571', '6571', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown in.pop3d unknown'
'194.134.131.175', '25', '25', '1999/06/03 20:05:09', '6572', '6572', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown in.smtpd unknown'
'194.134.131.175', '21', '21', '1999/06/03 20:07:23', '6667', '6667', '1', 'Generic.pl', 'S0', 'R-Peace', 'root wu.ftpd unknown'
'194.134.131.175', '21', '21', '1999/06/03 20:07:23', '6667', '6667', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit'
'194.134.131.175', '21', '21', '1999/06/03 20:07:23', '6668', '6668', '1', 'Generic.pl', 'S0', 'R-Peace', 'unknown wu.ftpd unknown'
'194.134.131.175', '21', '21', '1999/06/03 20:07:23', '6668', '6668', '1', 'Generic.pl', 'S0', 'RTension-Tension', 'TheyQuit'

Clear as day...

Then I do a trace on 194.134.131.175 and get:

traceroute to 194.134.131.175 (194.134.131.175), 30 hops max, 40 byte packets
*** 193.251.128.129: Non-existent host/domain
*** 193.251.128.34: Non-existent host/domain
*** 193.251.128.114: Non-existent host/domain

========================== 1 ==========================
]==> 24.1.84.1 68.69 ms 60.441 ms  38.777 ms

Name:    cr1-hfc1.lvrmr1.sfba.home.net

[whois.arin.net]
@Home Network (NETBLK-ATHOME)	ATHOME		       24.0.0.0 - 24.9.255.255
@Home Network (NETBLK-SFBA-TCI-FRMT-2) SFBA-TCI-FRMT-2 24.1.80.0 - 24.1.95.255


========================== 2 ==========================
]==> 24.1.80.1 19.679 ms 36.128 ms  22.332 ms

Name:    r1-fe2-0-0-100bt.frmt1.sfba.home.net

[whois.arin.net]
@Home Network (NETBLK-ATHOME)	ATHOME		       24.0.0.0 - 24.9.255.255
@Home Network (NETBLK-SFBA-TCI-FRMT-2) SFBA-TCI-FRMT-2 24.1.80.0 - 24.1.95.255


========================== 3 ==========================
No details
========================== 4 ==========================
]==> 24.0.0.2 58.614 ms 54.37 ms  17.118 ms

Name:    bb1-fe0-0-100bt.rdc1.sfba.home.net

[whois.arin.net]
@Home Network (NETBLK-ATHOME)	ATHOME		       24.0.0.0 - 24.9.255.255
@Home Network (NETBLK-CORP-RDC-SC-1) CORP-RDC-SC-1	 24.0.0.0 - 24.0.0.255


========================== 5 ==========================
]==> 144.228.44.133 13.194 ms 39.454 ms  35.899 ms

Name:    sl-gw5-sj-1-1-0-T3.sprintlink.net

[whois.arin.net]
Sprint (NET-SPRINT-INNET5)
   Government Systems Division
   13221 Woodland Park Road
   Herndon, VA  22071

   Netname: SPRINTLINK
   Netnumber: 144.228.0.0
   Maintainer: SPRN

   Coordinator:
      Sprintlink Internet Service Center  (SPRINT-NOC-ARIN)  NOC@SPRINT.NET
      800-232-6895
Fax- - 703-478-5471

   Domain System inverse mapping provided by:

   ICM1.ICP.NET			192.94.207.66
   NS1-AUTH.SPRINTLINK.NET	206.228.179.10
   NS2-AUTH.SPRINTLINK.NET	144.228.254.10
   NS3-AUTH.SPRINTLINK.NET	144.228.255.10

   Record last updated on 10-Sep-96.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 6 ==========================
]==> 144.232.3.61 23.904 ms 96.732 ms  80.155 ms

Name:    sl-bb10-sj-1-3-155M.sprintlink.net

[whois.arin.net]
Sprint/United Information Service (NET-SPRINT-INNET9)
   13221 Woodland Park Road
   Herndon, VA 22071
   USA

   Netname: SPRINT-INNET9
   Netnumber: 144.232.0.0
   Maintainer: SPRN

   Coordinator:
      Sprintlink Internet Service Center  (SPRINT-NOC-ARIN)  NOC@SPRINT.NET
      800-232-6895
Fax- - 703-478-5471

   Domain System inverse mapping provided by:

   NS1-AUTH.SPRINTLINK.NET	206.228.179.10
   NS2-AUTH.SPRINTLINK.NET	144.228.254.10
   NS3-AUTH.SPRINTLINK.NET	144.228.255.10

   Record last updated on 10-Sep-96.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 7 ==========================
]==> 144.232.8.194 32.365 ms 57.635 ms  34.145 ms

Name:    sl-bb10-stk-7-0.sprintlink.net

[whois.arin.net]
Sprint/United Information Service (NET-SPRINT-INNET9)
   13221 Woodland Park Road
   Herndon, VA 22071
   USA

   Netname: SPRINT-INNET9
   Netnumber: 144.232.0.0
   Maintainer: SPRN

   Coordinator:
      Sprintlink Internet Service Center  (SPRINT-NOC-ARIN)  NOC@SPRINT.NET
      800-232-6895
Fax- - 703-478-5471

   Domain System inverse mapping provided by:

   NS1-AUTH.SPRINTLINK.NET	206.228.179.10
   NS2-AUTH.SPRINTLINK.NET	144.228.254.10
   NS3-AUTH.SPRINTLINK.NET	144.228.255.10

   Record last updated on 10-Sep-96.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 8 ==========================
]==> 144.232.4.30 61.664 ms 31.817 ms  62.325 ms

Name:    sl-bb6-stk-4-0-0.sprintlink.net

[whois.arin.net]
Sprint/United Information Service (NET-SPRINT-INNET9)
   13221 Woodland Park Road
   Herndon, VA 22071
   USA

   Netname: SPRINT-INNET9
   Netnumber: 144.232.0.0
   Maintainer: SPRN

   Coordinator:
      Sprintlink Internet Service Center  (SPRINT-NOC-ARIN)  NOC@SPRINT.NET
      800-232-6895
Fax- - 703-478-5471

   Domain System inverse mapping provided by:

   NS1-AUTH.SPRINTLINK.NET	206.228.179.10
   NS2-AUTH.SPRINTLINK.NET	144.228.254.10
   NS3-AUTH.SPRINTLINK.NET	144.228.255.10

   Record last updated on 10-Sep-96.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 9 ==========================
]==> 194.206.207.53 174.666 ms 289.541 ms  163.92 ms

Name:    stockton-pos-1.opentransit.net

[whois.arin.net]
   http://www.ripe.net/db/whois.html

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 10 ==========================
]==> 193.251.128.129 183.451 ms 180.922 ms  203.109 ms

[whois.arin.net]

   Netname: RIPE-CBLK
   Netblock: 193.0.0.0 - 193.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 11 ==========================
]==> 193.251.128.34 181.6 ms 218.526 ms  475.344 ms

[whois.arin.net]

   Netname: RIPE-CBLK
   Netblock: 193.0.0.0 - 193.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 12 ==========================
]==> 193.251.128.114 223.479 ms 170.114 ms  178.013 ms

[whois.arin.net]

   Netname: RIPE-CBLK
   Netblock: 193.0.0.0 - 193.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 13 ==========================
]==> 193.55.152.198 460.853 ms 189.87 ms  181.806 ms

Name:    amsterdam-ser1/1/0.opentransit.net

[whois.arin.net]

   Netname: RIPE-CBLK
   Netblock: 193.0.0.0 - 193.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 14 ==========================
]==> 194.206.207.74 181.594 ms 228.386 ms  189.826 ms

Name:    euronet.opentransit.net

[whois.arin.net]

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 15 ==========================
]==> 194.134.132.71 198.936 ms 192.263 ms  185.818 ms

Name:    arnhem-gw-7507.telekabel.net

[whois.arin.net]

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 16 ==========================
]==> 194.134.132.24 175.078 ms 177.605 ms  208.016 ms

Name:    cat5k.telekabel.net

[whois.arin.net]

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

========================== 17 ==========================
]==> 194.134.131.175 300.887 ms 226.475 ms  290.924 ms

Name:    n926.telekabel.euronet.nl

[whois.arin.net]

   Netname: RIPE-CBLK2
   Netblock: 194.0.0.0 - 194.255.255.0
   Maintainer: RIPE

   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN)  nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445

   Domain System inverse mapping provided by:

   NS.RIPE.NET			193.0.0.193
   NS.EU.NET			192.16.202.11
   AUTH03.NS.UU.NET		198.6.1.83
   NS2.NIC.FR			192.93.0.4
   SUNIC.SUNET.SE		192.36.148.18
   MUNNARI.OZ.AU		128.250.1.21
   NS.APNIC.NET			203.37.255.97

   Record last updated on 16-Oct-98.
   Database last updated on 3-Jun-99 16:15:18 EDT.

So...  telekabel.euronet.nl is the owner, and I know they will ignore
any request for tracking it down, so I will ignore it as a simple - and
perhaps even legal - vulnerability scan.  Maybe I will even report it,
but I doubt it.

FC
---------------------------------------------