RE: FTP back in Vogue?

From: John Rodley (rfpat_private)
Date: Wed Mar 13 2002 - 18:49:52 PST

Next message: James McGee: "RE: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"

Previous message: Thomas Akin: "Re: Port UDP 3049"
In reply to: switched: "Re: FTP back in Vogue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm seeing persistent FTP attempts from an IP (217.8.137.183) that resolves
to:

	exploit.rootwhores.org

Anyone know what's going on with this domain?  Is this a blackhat with no
stealth instinct, or a completely compromised (including DNS) good guy?
Attached is whois info.

John Rodley


----------------------------------------------------------------------------
You agree that you will not reproduce, sell, transfer, or modify any of the
data presented in response to your search request, or use of any such data
for commercial purpose, without the prior express written permission of
Domaininfo AB - domaininfo.com

Register your name in 200+ top level domains at http://www.domaininfo.com
domaininfo.com
----------------------------------------------------------------------------
Registrar:domaininfo.com
Domain Name: rootwhores.org

[Owner of domain]
iTnetworks
Dronnings gt. 15
Larvik,  3260
NO

[Administrative contact]
Samuelsen, Benny
Visual Web Norge DA
Hans Kiærsgate 6
3041 Drammen
NO

Email: hostmaster@visual-web.no
Phone: 47 32 260200
Fax: 47 32 811355

[Technical contact]
Samuelsen, Benny
Visual Web Norge DA
Hans Kiærsgate 6
3041 Drammen
NO

Email: hostmaster@visual-web.no
Phone: 47 32 260200
Fax: 47 32 811355

[Zone contact]
Samuelsen, Benny
Visual Web Norge DA
Hans Kiærsgate 6
3041 Drammen
NO

Email: hostmaster@visual-web.no
Phone: 47 32 260200
Fax: 47 32 811355


Record created: 18 Dec 2001
Record last changed: 18 Dec 2001
Domain expires: 18 Dec 2003

Primary name server:   ns1.nameserveren.com (195.159.151.21)
Secondary name server: ns2.nameserveren.com (195.159.151.12)
The previous information has been obtained either directly from the
registrant or a registrar of the domain name other than Network Solutions.
Network Solutions, therefore, does not guarantee its accuracy or
completeness.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James McGee: "RE: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"
Previous message: Thomas Akin: "Re: Port UDP 3049"
In reply to: switched: "Re: FTP back in Vogue?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 08:49:48 PST