Hack attempts from cPanel

[dacanbe]

Hi,

According to my logs, my server had several hack attempts coming from a cPanel server (63.247.79.189). I would like to know whom I should contact to resolve this situation (and if possible take sanctions against the account owner).

Regards.

[elliotcooper]

I just did a little digging on that IP for you and although there is no PTR reverse map on that IP if you open a manual telnet connection to port 25 it identifies itself as:

220-cpanel.cihans.com ESMTP Exim 4.52 #1 Thu, 09 Feb 2006 16:14:10 +0200

the improtant bit there is:

cpanel.cihans.com

The whois for cihans.com is as follows:

Registrant:
qweqwe (CIHANS-COM-DOM)
qweqwe
qweqwe, 123123
Turkey
90.123123123
90.123456
cihan94@hotmail.com

Domain Name: CIHANS.COM

Administrative Contact:
asdfadsf cihan94@hotmail.com
adsfdasf
asdfffdasf, 21312331
Turkey
90.12321312
Fax- 90.123123123

Technical Contact, Zone Contact:
adsfdsafds cihan94@hotmail.com
sdfsdfsdfd
sdfsdfdsf, 3211234
Turkey
90.321432423
Fax- 90.123456

Record last updated on 02-Feb-2006.
Record expires on 17-Jan-2007.
Record created on 17-Jan-2005.

Domain servers in listed order:

Name Server: ns1.cihans.com
Name Server: ns2.cihans.com

You should try the email address but I wouldn't hold out too much hope there.

The other option is to complain to the IP block owner as they can remove connectivity to the server and usuall get a result. The IP is registered to:

OrgName: Global Net Access, LLC
OrgID: GNAL-2
Address: 55 Marietta St, NW
Address: Suite 1720
City: Atlanta
StateProv: GA
PostalCode: 30303
Country: US

ReferralServer: rwhois://rwhois.gnax.net:4321

NetRange: 63.247.64.0 - 63.247.95.255
CIDR: 63.247.64.0/19
NetName: GNAXNET
NetHandle: NET-63-247-64-0-1
Parent: NET-63-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.GNAX.NET
NameServer: DNS2.GNAX.NET
Comment: Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Comment: Comment: ********************************************
Comment: Comment: Reassignment information for this block is
Comment: Comment: available at rwhois.gnax.net port 4321
Comment: Comment: ********************************************
RegDate: 2003-04-11
Updated: 2004-02-06

OrgAbuseHandle: ABUSE745-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-404-230-9150
OrgAbuseEmail: abuse@gnax.net

OrgTechHandle: ENGIN7-ARIN
OrgTechName: Engineering
OrgTechPhone: +1-404-230-9150
OrgTechEmail: engineering@gnax.net

# ARIN WHOIS database, last updated 2006-02-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

They, abuse@gnax.ne,t look like a much better bet to talk to about this and get something done.

[chirpy]

Nice bit of investigative work

[dacanbe]

Thanks for these details. I'm gonna check gnax.net.