21 October 2001: See also "Safeweb Bandwidth Splitting:"

http://cryptome.org/safeweb-split.htm

21 October 2001: Add comments.
20 October 2001: Add comments.
19 October 2001: Add comment.

19 October 2001

64.124.150.130 is a SafeWeb IP address. See related:

http://cryptome.org/riaa-safeweb.htm
http://cryptome.org/riaa-anongo.htm
http://cryptome.org/safeweb-anongo.htm (updated 21 October 2001)


From: Dan
To: <jya@pipeline.com>
Subject: 64.124.150.130 Location
Date: Fri, 19 Oct 2001 00:28:33 -0400

64.124.150.130 appears to be located physically in the Bahamas as far as I can tell.


From: <jya@pipeline.com>
To: Dan
Sent: Friday, October 19, 2001 8:43 AM
Subject: Re: 64.124.150.130 Location

Now that is most interesting. I accept your word for it but would like to know how you find a physical location for an IP address beyond what is in the public records.


From: Dan
To: <jya@pipeline.com>
Subject: Re: 64.124.150.130 Location
Date: Fri, 19 Oct 2001 11:25:48 -0400

Funny you should mention locating a physical address that is publically located. I noticed something interesting that happened after I pinged the site "64.124.150.130": My Virus Scanning Software picked up a java script containing a Trojan type virus similar to "Seeker.gen". The originating web address for the java script was 206.138.18.108. An attempt to download the trojan comes from that address and original address in question. It seems that they are trying to hack into my pc and put a hidden URL for my browser to connect to, probably to monitor internet activity or to  look at the HD.

But this is what I believe the SafeWeb primary server to be:

UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136
       206.136.0.0 - 206.139.255.255
Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16)
UU-206-138-16
       206.138.16.0 - 206.138.31.255

I think my activity must have spurred somone's curiosity there. I isolated the Seeker Virus that was downloaded to

C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8A1I57AL\DEFAULT[1].JS 

on my computer (EI5) before it could be activated. I them reconnected back to the net with a different IP address and lo and behold, the second I started my browser, the Java File tried to set up a connection to the site in the Bahamas and attempt a portscan, finally trying to settle on my local port 4816.

I deleted the java script program, checked for alterations of my system and registry in general as a precaution (there were none), removed hidden url's and unlinked files, deleted *Cookies/index.dat and them rebooted. There was no activity from that Bahamian location. I pinged the address 64.124.150.130 and then I got portscanned by 206.25.48.59, who is:

Cable & Wireless USA (NETBLK-CW-05BLK) CW-05BLK    
         206.24.0.0 - 206.31.255.255
The River Internet Access Co. (NETBLK-CW-206-25-48) CW-206-25-48
         206.25.48.0 - 206.25.51.255
New Horizons Tucson (NETBLK-RIVR-NETBLK-NEWHORIZ4) RIVR-NETBLK-NEWHORIZ4
         206.25.48.0 - 206.25.48.127

This site attempted to download the very same nasty little java script to my computer. It would seem that these two operations are in partnership.

I emailed the respective site administrators and told them to stop trying to hack my computer and their activity promptly stopped within minutes although I never got a response from them. I think that someone there was curious as to how I located a certain server. Funny part is that it was quite accidental that I did and only because they tried to take a look at me. It's actually an interesting tactic that I used to use years ago (it had nothing to do with computers, though) to find out who was snooping around: I found that if I snooped around enough eventually you will catch someone's attention and they will try to take a look at you and that's when they expose themselves.

Also, if you visit certain sites, you will almost invariably have someone attempt to put this seeker trojan into your temporary internet files. My virus scanner picked up an attempt to download the same virus from this site:

http://www.geocities.com/SiliconValley/Vista/8015/free.html 

and it all led back again to the same server in the Bahamas.

I've been having a lot of fun with this as I haven't really worked with computers for about 15 years (remember OCL I and II? and IBM 36 Mainframes? Dinosaurs! LOL!) and things have changes quite a bit!

I'm almost curious enough to set up my old Gatway to Hell computer and let these guys in to see just what they are up to.


Date: Fri, 19 Oct 2001 11:31:55 -0700
From: V
To: jya@pipeline.com
Subject: safeweb trojan

[QUOTED TEXT]

Funny you should mention locating a physical address that is publically located. I noticed something interesting that happened after I pinged the site "64.124.150.130": My Virus Scanning Software picked up a java script containing a Trojan type virus similar to "Seeker.gen". The originating web address for the java script was 206.138.18.108. An attempt to download the trojan comes from that address and original address in question. It seems that they are trying to hack into my pc and put a hidden URL for my browser to connect to, probably to monitor internet activity or to  look at the HD. ...

[END QUOTE]

That's some nonsense right there, it doesn't work that way. The 64.124.150.130 isn't located in the Bahamas, it's at AboveNet in San Jose with the rest of Safeweb's equipment, just like they claim (this can be verified using VisualTraceroute, http://visualroute.visualware.com/).

Sure, it's possible that the folks of Safeweb whipped up a script that sends the IPs of machines that have pinged them, to a server in the Bahamas, and then engages in seriously shady behavior from there, but this scenario is highly unlikely.

Also, as you may have noticed, his use of 'download' is out of context: he most certainly means 'upload', and in this instance, it's a very important distinction, being that as far as browsers are concerned, they operate by rather different mechanisms. Downloading implies that he requested the files that were sent, whereas uploading implies that the other side initiated the transfer (browsers, and HTTP in general, do not allow for outside machines to upload files to your machine unless you've already sent a request for said files: essentially, the browser won't accept stuff from a sender that it isn't already listening for).

A more likely scenario:

At some point he visited a scam site or porn site that tried to install some dialer software (a common porn site scam: they use some ActiveX to install a dialer that calls up a POP in Rumania or the Bahamas or somesuch using their leased long-distance circuit, so they reap the tollcalls).  This would account for some of the "trojan" stuff he found in his tempdir. While it is possible for someone to compromise his system security and surreptitiously implant files, it is seriously unlikely that someone would place them in his IE tempdir, as there are much better places to hide that sort of thing; the fact that he found it in his tempdir implies that a site he visited implanted the code there. It doesn't have to be a porn dialer though: plenty of other sites use malicious java and javascript and the like to reset your default startpage and other nonsense like that.

It's also worth noting that, due to the nature of their layout, most cablemodem networks are prone to port-scanning anyway, as they're easy targets.

I realize this isn't the most coherent attempt at rebuffing his claims, but just the same, I feel that post is some serious disinformation, "a little knowledge is a dangerous thing" etc., etc.  A lot of stuff in the Safeweb thread has been; a lot of people with slim technical knowledge posting stuff that looks sorta impressive, but actually mostly devoid of fact or technical merit.


From: mike
Date: Sat, 20 Oct 2001 12:59:17 -0400

In the latest exchange on 64.124.150.130 on Cryptome, 'V' is absolutely correct.... Dan is just not technically proficient enough to understand what is happening.

The Javascript that he is referring to is technically a virus, although its one of the somewhat rare class of commercial (as opposed to malicious-only) virii out there.

For more info, see

http://www.symantec.com/avcenter/venc/data/js.alert.trojan.html

(although there are a number of other Javascript trojans besides this one).

I'd be careful about posting stuff like Dan's commentary -- I don't believe Dan is anything other than a well-meaning novice, but this kind of thing is especially pernicious because it has the patina of reality.


From: R
Date: 20 October 2001

I did some lockup's on some of the IP addresses that are on your site in posts related to Safeweb subject.

When I can be of any help to de-bug Safeweb SNAKE-OIL service, tell me what you may need, and I will do what I can, to help you.

Additionally, Safeweb is informing its users that Safeweb is keeping ALL logs for 10 days. The company owner, Mr Hsu did say 7 days.

"Privacy policy and handling of data

SafeWeb servers do not log any user content only incoming and outgoing IP addresses. This information is necessary for security reasons to see who is attacking us or abusing our network. The logs of incoming and outgoing IPs are stored separately and encrypted. After 7-10 days, they are destroyed in an unrecoverable manner. "

Additionally, CIA indicated that: [ Mr Christopher Tucker, chief strategic officer in In-Q-Tel ]

"but he didn't deny that Triangle Boy could be used in other aspects of the agency's mission, such as gathering information on terrorists and other  operations it deems suspicious."

My comment: How info gathering on ANONYMOUS citizen may be linked to terrorist ? It is PROFILING in its pure form.

My comment: When the Safeweb purpose is to gather citizens information, it is not here to protect privacy of citizens, therefore Mr Hsu mantra as "leading privacy provider" has no merit, at least it may be applicable to protection of privacy for CIA and NSA assets, which we all know this already.

My comment: When Safeweb is using JAVA + JAVA SCRIPTS as the condition of they SPY service, by defeat all they service is UN-SECURE by definition. The is no need to request as the condition to turn ON Java & Java Scripts for use of SSL. When this is REAL privacy service, these UN-SECURE futures must be turned OFF, but Safeweb is just doing the opposite. Normally these 2 futures are use for the enhancement purposes, but at the flick of the finger, both services may be use to create real sinister damages to user environment. This risk is REAL and very well documented, not to mention that it is in use for that sinister purposes. The people who will be the victims of these services are people who are preferring HTML emails instead of TEXT, and normally they would be the users of Safeweb service.

My comment: From what they are saying and providing, that is the another NSA, CIA and maybe FBI service that is equivalent to Swiss Crypto AG scandal.

My comment: When the sole purpose of keeping logs for 10 days [ 2 business weeks! ] is to protect itself against attacks, its very stupid to wait 2 weeks & respond to attack when company is attacked just right NOW. When DoS or DDoS is instigated NOW, it is appropriate to keep logs NOW or in the future, of ATACKERS and NOT privacy seekers. We don't need space science doctorate to distinguish between ATTACKERS and PRIVACY protection users.

My comment: Isn't CIA part of DoD ?

Isn't CIA part of USA Government ?

What is the primary difference between DoD & CIA & USA Government ?

Mr Hsu comment was just funny.

My comment: Doesn't he understand that his company is doing excellent business for CIA & NSA, but his logging and logs retention for the period of 10 days [ how you, Mr Young could be sure that logs are not keep for longer and indefinite period ? ] is against normally acceptable privacy protection services ?

My comment: The spin - off and extensive PR created by really stupid people who don't have any knowledge what real privacy should mean, and how that real privacy needs to be achieved, are helping pigs to be sloughed in abattoir house.

My comment: The real web surfing privacy protection company, ZKS, which has been forced to close this type of service, provided its service base on dependable anonymous mix service. ZKS did not provide SSL proxy, as the Safeweb company is providing and is claiming protection of user privacy by logging all connection details, in IP & out IP [ coming FROM, going TO addresses ].

My comment: When ZKS started its service, CIA & NSA didn't ask them to secure CIA & NSA assets. As a mater of facts, CIA and NSA should & would allocate $1 mil dollars to purchase 20,000 valid licensees for ZKS services. What CIA & NSA would get, would be the most secure and un-traceable web surfing service, not mere SSL proxy, but they didn't that. Why they didn't ? The answer is very simple, CIA & NSA primary reason to sign Safeweb was to spy on innocent and un-informed citizen, with secondary purpose, to protect they own tracks. I don't believe in this secondary reason. Why ? Because we have much better and completely un-traceable ways of communications, SSL proxy is not one of them. The SSL proxy is secure between end points, but it is not un-traceable, Safeweb is keeping all logs for 10 days.

My comment: When logs are kept, logs can be stolen. When logs can be stolen, logs can be compromised. The professionals, SPYS, at CIA & NSA know what it says in they SPY BOOKS.

In short, it's very intelligent & high class SNAKE - OIL, equivalent to Crypto AG.

=========================

The trace information that may be of interest to you.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

dns 64.124.150.130

64.124.150.130 has dubious reverse DNS of 64.124.150.130.safeweb.com - which is a valid hostname, but not one that resolves to 64.124.150.130

Trying whois -h whois.arin.net 64.124.150.130

     Abovenet Communications, Inc. (NETBLK-ABOVENET)
     50 W. San Fernando Street, Suite 1010 
     San Jose, CA 95113         US
     Netname: ABOVENET
     Netblock: 64.124.0.0 - 64.125.255.255
     Maintainer: ABVE
     Coordinator:  Metromedia Fiber Networks/AboveNet  (NOC41-ORG-ARIN)  noc@ABOVE.NET
     408-367-6666
     Fax- 408-367-6688

     Domain System inverse mapping provided by:

     NS.ABOVE.NET 207.126.96.162
     NS3.ABOVE.NET 207.126.105.146

     ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Trying whois -h whois.arin.net 64.124.150.130

     Abovenet Communications, Inc. (NETBLK-ABOVENET)
     50 W. San Fernando Street, Suite 1010 
     San Jose, CA 95113         US

     Netname: ABOVENET
     Netblock: 64.124.0.0 - 64.125.255.255
     Maintainer: ABVE

     Coordinator:
     Metromedia Fiber Networks/AboveNet  (NOC41-ORG-ARIN)  noc@ABOVE.NET
     408-367-6666
     Fax- 408-367-6688

     Domain System inverse mapping provided by:

     NS.ABOVE.NET 207.126.96.162
     NS3.ABOVE.NET 207.126.105.146

     ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

traceroute 64.124.150.130

      3    198.32.146.21    2.751 ms   mae-la.above.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos
      4    216.200.0.166    14.580 ms  sjc1-lax1-oc3.sjc1.above.net [AS6461] Primary AS for Abovenet
      5    216.200.0.178    14.522 ms  core1-sjc1-oc48.sjc2.above.net [AS6461] Primary AS for Abovenet
      6    208.184.102.202  14.647 ms  core4-core1-oc48.sjc2.above.net [AS6461] Primary AS for Abovenet
      7    208.184.102.178  31.452 ms  sea1-sjc2-oc48-2.sea1.above.net [AS6461] Primary AS for Abovenet
      8    216.200.127.65   101.633 ms lga1-sea1-oc48.lga1.above.net [AS6461] Primary AS for Abovenet
      9    208.185.0.246    101.964 ms core1-lga1-oc192.lga2.above.net [AS6461] Primary AS for Abovenet
     10    216.200.127.154  101.361 ms main1colo45-core1-oc48.lga2.above.net [AS6461] Primary AS for Abovenet
     11    208.184.48.173   110.696 ms 208.184.48.173.safeweb.com (Fake rDNS) [AS6461] Primary AS for Abovenet
     12    10.100.0.2       111.820 ms DNS error
     13 ***     failed     
     14 ***     failed     
     15 ***    aborting    

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

dns 206.138.18.108

206.138.18.108 has no reverse DNS configured.

Trying whois -h whois.arin.net 206.138.18.108

     UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136
     206.136.0.0 - 206.139.255.255
     Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16
     206.138.16.0 - 206.138.31.255

     To single out one record, look it up with "!xxx", where xxx is the
     handle, shown in parenthesis following the name, which comes first.

     Trying whois -h whois.arin.net 206.138.18.108
     UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136) NETBLK-UUNETCBLK136
     206.136.0.0 - 206.139.255.255
     Digital Systems (Bahamas) Ltd./Internet Bahamas LTD. (NETBLK-UU-206-138-16) UU-206-138-16
     206.138.16.0 - 206.138.31.255

     To single out one record, look it up with "!xxx", where xxx is the
     handle, shown in parenthesis following the name, which comes first.

traceroute 206.138.18.108

      3    198.172.117.161  2.784 ms   DNS error [AS2914] Verio
      4    129.250.29.126   3.582 ms   ge-6-2-0.r00.lsanca01.us.bb.verio.net [AS2914] Verio
      5    129.250.2.25     12.971 ms  p4-2-0-0.r01.snjsca03.us.bb.verio.net [AS2914] Verio
      6    129.250.2.62     13.143 ms  p16-3-0-0.r04.snjsca03.us.bb.verio.net [AS2914] Verio
      7    129.250.3.34     16.49 ms   p4-0-1-0.r00.scrmca01.us.bb.verio.net [AS2914] Verio
      8    129.250.9.98     16.915 ms  p4-0.uunet.scrmca01.us.bb.verio.net [AS2914] Verio
      9    152.63.52.250    17.138 ms  0.so-2-0-0.XL1.SAC1.ALTER.NET (DNS error) [AS701] Alternet
     10    152.63.53.250    16.620 ms  0.so-3-0-0.TL1.SAC1.ALTER.NET (DNS error) [AS701] Alternet
     11    152.63.145.229   91.640 ms  0.so-7-0-0.TL1.DCA6.ALTER.NET (DNS error) [AS701] Alternet
     12    152.63.38.70     91.348 ms  0.so-6-0-0.XL1.DCA6.ALTER.NET (DNS error) [AS701] Alternet
     13    152.63.38.86     91.832 ms  0.so-7-0-0.XR1.DCA6.ALTER.NET (DNS error) [AS701] Alternet
     14    152.63.33.13     92.603 ms  185.at-5-0-0.XR1.DCA1.ALTER.NET (DNS error) [AS701] Alternet
     15    152.63.35.237    92.971 ms  195.ATM6-0.GW5.DCA1.ALTER.NET (DNS error) [AS701] Alternet
     16    206.138.16.101   646.430 ms DNS error [AS701] Alternet
     17    206.138.16.34    653.594 ms DNS error [AS701] Alternet
     18 ***     failed     
     19 ***     failed     
     20 ***    aborting    

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

dns 64.124.150.130.safeweb.com

64.124.150.130.safeweb.com resolves to 65.107.16.45

www.64.124.150.130.safeweb.com resolves to 65.107.16.45

Trying whois -h whois.arin.net 64.124.150.130.safeweb.com

No match for "64.124.150.130.SAFEWEB.COM".

whois -h magic 65.107.16.45

64.124.150.130.safeweb.com resolves to 65.107.16.45

Trying whois -h whois.arin.net 65.107.16.45

     Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6)
     1400 Parkmoor Avenue 
     San Jose, CA  95126-3429         US

     Netname: CONCENTRIC-BLK6
     Netblock: 65.104.0.0 - 65.107.255.255
     Maintainer: CRC

     Coordinator:
     DNS and IP ADMIN  (DIA-ORG-ARIN)  hostmaster@CONCENTRIC.NET
     408) 817-2800
     Fax- - - (408) 817-2630

     Domain System inverse mapping provided by:

     NAMESERVER1.CONCENTRIC.NET 207.155.183.73
     NAMESERVER2.CONCENTRIC.NET 207.155.184.72
     NAMESERVER3.CONCENTRIC.NET 206.173.119.72
     NAMESERVER.CONCENTRIC.NET 207.155.183.72

     ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

traceroute 64.124.150.130.safeweb.com

64.124.150.130.safeweb.com resolves to 65.107.16.45

      3    198.32.146.12    3.295 ms   mae-la.px.concentric.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos
      4    64.220.0.82      3.196 ms   ge10-0.tran2.lax-ca.us.xo.net [AS2828] XO Communications, Inc.
      5    64.0.0.9         11.633 ms  p1-0.tran2.pal-ca.us.xo.net [AS2828] XO Communications, Inc.
      6    64.220.0.19      11.60 ms   ge0-0.dist1.pal-ca.us.xo.net [AS2828] XO Communications, Inc.
      7    64.0.0.110       11.620 ms  DNS error [AS2828] XO Communications, Inc.
      8    65.105.231.2     13.898 ms  DNS error [AS2828] XO Communications, Inc.
      9    65.107.32.30     19.853 ms  DNS error [AS2828] XO Communications, Inc.
     10 ***     failed     
     11 ***     failed     
     12 ***    aborting    

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

dns 65.107.16.45

65.107.16.45 has no reverse DNS configured.

Trying whois -h whois.arin.net 65.107.16.45

     Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6)
     1400 Parkmoor Avenue 
     San Jose, CA  95126-3429         US

     Netname: CONCENTRIC-BLK6
     Netblock: 65.104.0.0 - 65.107.255.255
     Maintainer: CRC

     Coordinator:
     DNS and IP ADMIN  (DIA-ORG-ARIN)  hostmaster@CONCENTRIC.NET
     (408) 817-2800
     Fax- - - (408) 817-2630

     Domain System inverse mapping provided by:

     NAMESERVER1.CONCENTRIC.NET 207.155.183.73
     NAMESERVER2.CONCENTRIC.NET 207.155.184.72
     NAMESERVER3.CONCENTRIC.NET 206.173.119.72
     NAMESERVER.CONCENTRIC.NET 207.155.183.72

     ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

Trying whois -h whois.arin.net 65.107.16.45

     Concentric Network Corporation (NETBLK-CONCENTRIC-BLK6)
     1400 Parkmoor Avenue 
     San Jose, CA  95126-3429         US

     Netname: CONCENTRIC-BLK6
     Netblock: 65.104.0.0 - 65.107.255.255
     Maintainer: CRC

     Coordinator:
     DNS and IP ADMIN  (DIA-ORG-ARIN)  hostmaster@CONCENTRIC.NET
     (408) 817-2800
     Fax- - - (408) 817-2630

     Domain System inverse mapping provided by:

     NAMESERVER1.CONCENTRIC.NET 207.155.183.73
     NAMESERVER2.CONCENTRIC.NET 207.155.184.72
     NAMESERVER3.CONCENTRIC.NET 206.173.119.72
     NAMESERVER.CONCENTRIC.NET 207.155.183.72

     ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

traceroute 65.107.16.45

      3    198.32.146.12    3.55 ms    mae-la.px.concentric.net [AS226] USC/Information Sciences Institute, regional network, Los Nettos
      4    64.220.0.82      3.303 ms   ge10-0.tran2.lax-ca.us.xo.net [AS2828] XO Communications, Inc.
      5    64.0.0.9         11.79 ms   p1-0.tran2.pal-ca.us.xo.net [AS2828] XO Communications, Inc.
      6    64.220.0.19      11.8 ms    ge0-0.dist1.pal-ca.us.xo.net [AS2828] XO Communications, Inc.
      7    64.0.0.110       11.737 ms  DNS error [AS2828] XO Communications, Inc.
      8    65.105.231.2     13.713 ms  DNS error [AS2828] XO Communications, Inc.
      9    65.107.32.30     17.822 ms  DNS error [AS2828] XO Communications, Inc.
     10 ***     failed     
     11 ***     failed     
     12 ***    aborting    

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo


From: M
Date: 20 October 2001

How to determine physical location?

The answer is simple; its impossible.

When law-enforcement agencies trace users they often go to the ISPs directly, and the ISP can then determine physical location through their own (non-standard, non-public) databases. These databases can assoicate a IP with a certain time/phonenumber for dialup users (and the the telephone company can trace the phone numer to a physical location), and with a certain physical plug for permanently connected users.

Remark, say a computer goes wild and starts spamming something.gov with a DoS-attack. It stamps every packet with a 0.0.0.0 source address. Can it be traced? Sure. But this will exteremly hard for "normal users" or even for "normal admins". The way to go would be to go back router by router and see from where the stream is coming.

Also, if I really wanted to be anonymous I would not connect from any account with my name on it. In Sweden you can just enter any public library and get free anon access. Or a school? Or just open a phonelines hub (in Sweden they are everywhere along the streets if you know what to look for). The thing is, it is and will always be impossible to trace a user, and a server goes pretty much under the same rules.

Note, the physical location used by visualroute software is based entirely on an optional field in the global whois database (not 100% sure, I could be a field in the ARIN database too). This field allows any admin to enter long/lat of his server.

So, anyway the bottomline is that it's really impossible to tell weather the admin is telling the truth or not. In this poarticular case I do not think your "hacker" even went this far, as you can figure it out by just doing a simple web-based query on the IP.

Surf to www.arin.net (American Registry for Internet Numbers) (or to www.ripe.net for Europe)

or directly to;

http://www.arin.net/whois/

And enter the "Bahamas-IP", this will display:

UUNET Technologies, Inc. (NETBLK-NETBLK-UUNETCBLK136)
NETBLK-UUNETCBLK136
206.136.0.0 - 206.139.255.255
Digital Systems (Bahamas) Ltd./Internet Bahamas LTD.
(NETBLK-UU-206-138-16) UU-206-138-16
206.138.16.0 - 206.138.31.255

So, this guy is very likely just guessing (after seeing the (Bahamas) note in the whois field). I cant see how he can be any more certain than you or me.


Date: Sat, 20 Oct 2001 22:20:11 -0700 (PDT)
From: J
To: jya@pipeline.com
Subject: Safeweb, etc.

In regards to the safeweb ip's being forwarded to the bahamas, it is possible, but incorrect on this server.  Here is what that win2k server in the bahamas is doing:

206.25.48.59
http:\\206.25.48.59\
Yields 
w32.Nimda.A@mm(html)
W32.Nimda.enc
w32.Nimda.A@mm(dr)

One's an internet email and one http virii.  Standard stuff.  The server is a windows 2000 server with all the trimmings:

Email, http, https, netbios, mailserver, iis5 even,

25   :CONNECT
END PORT INFO
80   :CONNECT
END PORT INFO
110  :CONNECT
END PORT INFO
135  :CONNECT
END PORT INFO
139  :CONNECT
END PORT INFO
443  :CONNECT
END PORT INFO
445  :CONNECT
END PORT INFO

Win2k server determined by packet personality.  Oxymoron in this context.

Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance Server Beta3

OS Fingerprint:

TSeq(Class=RI%gcd=1%SI=65D12%TS=0)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)

They are even nice enough to have a little ftp site:

Connecting to 206.25.48.59, Port 21 (#1) 
Connected.  Waiting for response.
220 A97DC6Freers2 Microsoft FTP Service (Version 5.0).
USER anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
PASS xxxxxx
230 Anonymous user logged in.
SYST
215 Windows_NT version 5.0
REST 100
350 Restarting at 100.
REST 0
350 Restarting at 0.
PWD
257 "/" is current directory.
TYPE A
200 Type set to A

New Horizons Tucson c/o The River, 40 N Swan Rd Tucson, AZ 85711 US

So, I think contestant #1 may have other issues going on rather than safeweb.  The above server box is just borked.  A pub-maker's paradise. 

This doesn't mean that safeweb is safe.  In fact there is 100% certainty that it's not since you have no control over your data.  It's just something to be used at work when your surfing porn or whatever floats your boat.