Yes I am back with silly IP questions again ;-) Thanks for the above URL, I ran another IP that FTP'd into my RAQ (crc.xnet.ro[217.10.198.254]). It reports back with the below, that bad part is I don't have any customers in Romania, so now I am on the hunt to chase what they may have done in the 5 mins they were FTP'd in. How do I tell what user they FTP in with? I know how to ps, ps aux, top, who etc. But I am an amateur here and need all the help I can get. % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html % The object shown below is NOT in the RIPE database. % It has been obtained by querying a remote server: % (whois.rotld.ro) at port 43. % To see the object stored in the RIPE database % use the -R flag in your query % %REFERRAL START % whois.rotld.ro : % % Rights restricted by copyright. % % Specifically, this data MAY ONLY be used for Internet operational % purposes. It may not be used for targeted advertising or any % other purpose. % % Este INTERZISA folosirea datelor de pe acest server in oricare % alt scop decat operarea retelei. In special este INTERZISA % folosirea lor in scopuri publicitare. % % No entries found for the selected (s)source. When I go to ripe.net URL above I get the below report, which seems that the FTP client is from Romainia (plus the .ro in the domain :) inetnum: 217.10.198.0 - 217.10.198.255 netname: MOBIFON descr: MobiFon S.A. descr: 3, Nerva Traian Street descr: Complex M101, Sector 3 descr: Bucharest, Romania country: RO admin-c: IOS5-RIPE tech-c: IOS5-RIPE status: ASSIGNED PA notify: [EMAIL PROTECTED] mnt-by: AS12302-MNT changed: [EMAIL PROTECTED] 20001009 source: RIPE regards, Todd Kirk _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
