[156034] in North American Network Operators' Group
RE: 91.201.64.0/22 hijacked?
daemon@ATHENA.MIT.EDU (Schiller, Heather A)
Tue Sep 4 16:35:48 2012
From: "Schiller, Heather A" <heather.schiller@verizon.com>
To: Jeroen van Aart <jeroen@mompl.net>, NANOG list <nanog@nanog.org>
Date: Tue, 4 Sep 2012 16:34:59 -0400
In-Reply-To: <504104A6.5070705@mompl.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It does not sound as though the original holders of the space know/care - i=
f they are out of business, they probably don't care. If they are actively=
involved in it, then it's not a hijack. If they haven't updated their com=
pany name/website, then it's not a hijack, just poor record keeping. =20
If you suspect the address space is abandoned, or hijacked, report it to RI=
PE. It may not get deallocated and reassinged until a few months after the=
bill stops getting paid. =20
--Heather
-----Original Message-----
From: Jeroen van Aart [mailto:jeroen@mompl.net]=20
Sent: Friday, August 31, 2012 2:39 PM
To: NANOG list
Subject: 91.201.64.0/22 hijacked?
The below email exchange may be of interest to some of you. The practical u=
pshot is that it appears "the 91.201.64.0/22 range was hijacked and should =
be included into the DROP list".
As an interesting aside, quoting a friend:
"the original company (that performed dangerous waste utilization) may have=
been a shady thing in and of itself (..) what most companies calling thems=
elves "ecoservice" (with variations) do is take money for "safe utilisation=
" of hazardous waste, and then dump it in some old quarry out in the remote=
(or not so remote) corner of a forest or other natural area (..) they alwa=
ys have criminal links and protection from corrupts officials (often co-own=
ers) and security/law enforcement services"
> From: Jeroen van Aart
> there is
> nothing but crap coming from 91.201.64.0/24. Amongst other things=20
> attempts to spam (through) wordpress sites.
> inetnum: 91.201.64.0 - 91.201.67.255
> netname: Donekoserv
> descr: DonEkoService Ltd
Don - name of the nearby large river.
"EkoService" means ecological service.
> country: RU
> org: ORG-DS41-RIPE
>=20
> person: Haralevich Piotr
> address: novocherkassk, ul stremyannaya d.6
> mnt-by: MNT-DONECO
> phone: +74951000000
nic-hdl: HP2220-RIPE
changed: admin@donecoserv.ru 20101117
The company performed dangerous waste utilization:
http://donekoservis.alloy.ru/contacts/
http://www.idbo.ru/view/72321/
But domains donecoserv.ru and donekoservis.ru don't exist anymore.
traceroute 91.201.64.14
...
11 router02.spbbm18.ru.edpnet.net (212.71.11.26) 65.979 ms 65.971 ms
66.182 ms
12 77.109.110.62.static.edpnet.net (77.109.110.62) 88.868 ms 47.809 ms 47.7=
15ms
13 195.2.240.234 (195.2.240.234) 48.235 ms 48.546 ms 48.664 ms
14 ajursrv.parohod.biz (95.215.0.206) 47.957 ms 47.752 ms 47.606 ms
15 mail.rx-helps.com (91.201.64.14) 48.206 ms 48.302 ms 48.237 ms
SPb (Sankt-Peterburg) is 1500 km from Novocherkassk.
parohod.biz also is in Sankt-Peterburg, they offer SEO (which I consider fr=
aud, spamming websites and search engines).
Also, see
http://support.clean-mx.de/clean-mx/viruses.php?email=3Dadmin@donecoserv.ru=
&response=3D
http://www.spambotsecurity.com/forum/viewtopic.php?f=3D7&t=3D795
http://unapprovedpharmacy.wordpress.com/2011/01/03/whois-www-canadianmedssh=
op-com/
| January 3, 2011
...
| inetnum: 91.201.64.0 91.201.67.255
| netname: Donekoserv
| descr: DonEkoService Ltd
| country: RU
| org: ORG-DS41-RIPE
...
| organisation: ORG-DS41-RIPE
| org-name: DonEko Service
| org-type: OTHER
| address: novocherkassk, ul stremyannaya d.6
| e-mail: admin@bulletproof-web.com
Note "bulletproof".
Therefore, the 91.201.64.0/22 range was hijacked and should be included int=
o the DROP list.
