IP address question

Joeaksa · 01-18-2007, 08:06 AM

Anyone know how to track this IP address?

I have gotten it this far but havent the slightest idea what it says in line 17.

Joe A

TraceRoute to 71.226.82.73 [c-71-226-82-73.hsd1.fl.comcast.net]
Hop (ms) (ms) (ms) IP Address Host name
1 0 0 0 66.98.244.1 gphou-66-98-244-1.ev1servers.net
2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1servers.net
3 1 0 0 38.99.206.173 -
4 1 1 2 38.112.35.237 g4-0-0.core01.iah01.atlas.cogentco.com
5 1 3 1 154.54.2.202 t4-1.mpd01.iah01.atlas.cogentco.com
6 43 43 44 154.54.2.165 te2-4.mpd01.dca01.atlas.cogentco.com
7 45 44 44 154.54.2.182 v3491.mpd01.dca02.atlas.cogentco.com
8 45 45 46 154.54.5.46 v3496.mpd01.iad01.atlas.cogentco.com
9 45 46 44 154.54.3.221 g9-0-0-3492.core01.iad01.atlas.cogentco.com
10 40 41 41 192.205.33.201 gr1-a3110s1.attga.ip.att.net
11 38 38 37 12.123.8.190 tbr2033001.wswdc.ip.att.net
12 38 37 39 12.122.10.70 tbr1-cl17.attga.ip.att.net
13 39 37 37 12.123.20.9 gar2-p360.attga.ip.att.net
14 49 48 47 12.124.58.166 -
15 47 47 47 68.86.166.53 -
16 47 48 50 68.86.166.34 ubr01.fruitlandpr.fl.lakecnty.comcast.net
17 57 Timed out 52 71.226.82.73 c-71-226-82-73.hsd1.fl.comcast.net

id10t · 01-18-2007, 08:20 AM

Fitlering ICMP traffic on that hop, probably a home router dropping the packets, etc.

Edit - or the computer/router/whatever that has that IP leased isn't turned on at the moment.

HardDrive · 01-18-2007, 08:24 AM

IP address: 71.226.82.73
Reverse DNS: c-71-226-82-73.hsd1.fl.comcast.net.
Reverse DNS authenticity: [Unknown]
ASN: 22909
ASN Name: DNEO-OSP1
IP range connectivity: 4
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 71.192.0.0 to 71.255.255.255
Country fraud profile: Normal
City (per outside source): Lady Lake, Florida
Country (per outside source): US [United States]
Private (internal) IP? No
IP address registrar: BOGUS
Known Proxy? No

HardDrive · 01-18-2007, 08:37 AM

Port 25 and 110 are open (SMTP and POP).

Joeaksa · 01-18-2007, 08:40 AM

HD,

So the IP address is no good or fake?

This is coming from someone trying to scam me. Caught them and have not paid a penny but trying to find out where its coming from. It was supposed to be a Yahoo email address but keep seeing other IP addresses. Its being sent out of an email program called "The Bat!"

Thx,

Joe A

id10t · 01-18-2007, 09:07 AM

The Bat is a windows email client...

Address is in a pool of dynamic addresses. I just ran nmap on it (port scanner), looks like it is hooked up directly to a windows box with no router/firewall/etc. running.

Code:

root@host:~# nmap -sS -O -PI -PT  71.226.82.73 

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2007-01-18 13:04 EST
Interesting ports on c-71-226-82-73.hsd1.fl.comcast.net (71.226.82.73):
(The 1653 ports scanned but not shown below are in state: closed)
PORT     STATE    SERVICE
135/tcp  filtered msrpc
136/tcp  filtered profile
137/tcp  filtered netbios-ns
138/tcp  filtered netbios-dgm
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
1025/tcp open     NFS-or-IIS
1026/tcp open     LSA-or-nterm
1080/tcp filtered socks
5000/tcp open     UPnP
Device type: general purpose
Running: Microsoft Windows 95/98/ME|NT/2K/XP
OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Pro or Advanced Server, or Windows XP

Nmap finished: 1 IP address (1 host up) scanned in 6.454 seconds

HardDrive · 01-18-2007, 09:32 AM

Joe, its a real address.

Joe, there are certain *ahem* actions that could be taken, but seeing as that they are on Comcast, we may have the wrong IP. In other words, they use dynamic addresses, and we may end up targeting the wrong person.

What is this joker trying to do?

Joeaksa · 01-18-2007, 09:53 AM

Will email you directly.

Icemaster · Icemaster's Garage

Quote:

Originally posted by id10t
Address is in a pool of dynamic addresses. I just ran nmap on it (port scanner), looks like it is hooked up directly to a windows box with no router/firewall/etc. running.

Oh really.....?????

This could be fun. How pissed are you at these folks Joe?

id10t · 01-18-2007, 10:03 AM

Icemaster - note that the address is in a dhcp pool, and my scan didn't show 25 or 110 open like harddrive's did... different computer now. No need to mess up some poor granny's collection of pix of her grandkids...

Joeaksa · 01-18-2007, 10:08 AM

Quote:

Originally posted by Icemaster
Oh really.....?????

This could be fun. How pissed are you at these folks Joe?

Quite a bit!

Trying to scam me out of $3000. I figured it out early but would love to turn these jerks into the law.

Icemaster · Icemaster's Garage

Quote:

Originally posted by id10t
Icemaster - note that the address is in a dhcp pool, and my scan didn't show 25 or 110 open like harddrive's did... different computer now. No need to mess up some poor granny's collection of pix of her grandkids...

Yeah, your right. Just did a line by line read on it. If "something" was gonna happen, we probably missed our window of opportunity.

Best thing at this point would be to make Comcast aware of it.

Not that that would do much...

jriera · 01-18-2007, 02:00 PM

Joe that bad finally??

jriera · 01-18-2007, 02:30 PM

My latest nmap scan also shows a port 25 .... I doubt that grandma has an SMTP server setup .... doing a -p- also

Joeaksa · 01-18-2007, 02:49 PM

Jordi,

Nothing new but the request to help by sending $3k came through a few days ago. I have not responded to it but would love to send them to jail or at least get them stopped from trying to screw people on the internet.

jriera · 01-18-2007, 03:04 PM

You told me the story on Monday over dinner ... sad, very sad ...

I think that the IP address still good, based in Florida (Lady Lake ?)

HardDrive · 01-18-2007, 04:57 PM

Quote:

Originally posted by jriera
...

I think that the IP address still good, based in Florida (Lady Lake ?)

That the city, but that does not say much. The subnet is probably only handed out locally. Of course the only real way to tell is get in and do some snooping....which I am not doing from my home IP address this evening thank you

.

Let me do some.....adventuring, tomorrow.

Joeaksa · 01-18-2007, 05:21 PM

Thanks guys.

jriera · 01-18-2007, 06:41 PM

HardDrive .... Cain & Abel ARP functions??

slodave · slodave's Garage

Here is a more recent nmap version scan:

Starting Nmap 4.20 ( http://insecure.org ) at 2007-01-19 00:40 PST
Interesting ports on c-71-226-82-73.hsd1.fl.comcast.net (71.226.82.73):
Not shown: 1687 closed ports
PORT STATE SERVICE
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1080/tcp filtered socks
5000/tcp open UPnP
Device type: general purpose|specialized
Running (JUST GUESSING) : Microsoft Windows 2000|2003 (91%), Symbol Windows PocketPC/CE (86%)
Aggressive OS guesses: Microsoft Windows 2000, SP0, SP1, or SP2 (91%), Microsoft Windows 2000 Server SP4 (90%), Microsoft Windows 2000 SP3 (89%), Microsoft Windows 2000 SP4 (89%), Microsoft Windows 2003 Server SP1 (88%), Symbol MC9060-G mobile computer (runs Microsoft Windows CE .NET 4.20) (86%), Microsoft Windows 2000 Server SP4 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 15 hops

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 21.820 seconds

Thread Tools
Show Printable Version Email this Page
Rate This Thread
Rate This Thread: