Q2 - Identify as much as possible about the intruder(s)
======================================================

These are the IPs that appear in the snort log

1) 216.216.74.2
2) 172.16.1.107
3) 172.16.1.101

Let us ask DNS:

[david@atila david]$ nslookup
Default Server:  ***never mind***
Address:  ***never mind***

> root
Default Server:  a.root-servers.net
Address:  198.41.0.4

> 216.216.74.2
Server:  a.root-servers.net
Address:  198.41.0.4

Authoritative answers can be found from:
216.216.IN-ADDR.ARPA	nameserver = NS1.HOME.NET
216.216.IN-ADDR.ARPA	nameserver = NS2.HOME.NET
NS1.HOME.NET	internet address = 24.0.0.27
NS2.HOME.NET	internet address = 24.2.0.27
*** No address (A) records available for 216.216.74.2
> server ns1.home.net
Default Server:  ns1.home.net
Address:  24.0.0.27

> 216.216.74.2
Server:  ns1.home.net
Address:  24.0.0.27

Name:    ATHM-216-216-xxx-2.home.net
Address:  216.216.74.2

> root
Default Server:  a.root-servers.net
Address:  198.41.0.4

> 172.16.1.107
Server:  a.root-servers.net
Address:  198.41.0.4

Authoritative answers can be found from:
16.172.IN-ADDR.ARPA	nameserver = BLACKHOLE.ISI.EDU
16.172.IN-ADDR.ARPA	nameserver = BLACKHOLE.EP.NET
*** No address (A) records available for 172.16.1.107
> server blackhole.isi.edu
Default Server:  blackhole.isi.edu.
Served by:
- NS.ISI.EDU
	  128.9.128.127
	  ISI.EDU
- EAST.ISI.EDU
	  38.245.76.2
	  ISI.EDU
- VENERA.ISI.EDU
	  128.9.176.32
	  ISI.EDU


> 172.16.1.107
Server:  blackhole.isi.edu.
Served by:
- NS.ISI.EDU
	  128.9.128.127
	  ISI.EDU
- EAST.ISI.EDU
	  38.245.76.2
	  ISI.EDU
- VENERA.ISI.EDU
	  128.9.176.32[root@atila .Ci]# ll tcp.log
-rw-r--r--    1 root     root            0 Nov  8 15:52 tcp.log
[root@atila .Ci]# 

	  ISI.EDU


*** blackhole.isi.edu. can't find 172.16.1.107: Non-existent host/domain
> 172.16.1.101
Server:  blackhole.isi.edu.
Served by:
- NS.ISI.EDU
	  128.9.128.127
	  ISI.EDU
- EAST.ISI.EDU
	  38.245.76.2
	  ISI.EDU
- VENERA.ISI.EDU
	  128.9.176.32
	  ISI.EDU


*** blackhole.isi.edu. can't find 172.16.1.101: Non-existent host/domain
> 


Conclusion:


216.216.74.2            ATHM-216-216-xxx-2.home.net
172.16.1.107 y .101     Unknown. They (172.16.X.X) fall under the authority of
                        blackhole.isi.edu or blackhole.ep.net.
                        Both are alive but they know nothing about these addreses.


Now let us see what WHOIS has for us:

home.net
========

[david@atila david]$ whois home.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: HOME.NET
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: www.networksolutions.com
   Name Server: NS2.HOME.NET
   Name Server: NS1.HOME.NET
   Updated Date: 24-jul-2000


>>> Last update of whois database: Fri, 26 Jan 2001 12:10:24 EST <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.


[whois.networksolutions.com]
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
Home Network (HOME5-DOM)
   425 Broadway St.
   Redwood City, CA 94063  US

   Domain Name: HOME.NET

   Administrative Contact, Technical Contact:
      Kiewlich, Daniel  (DKF336)  abuse@HOME.COM
      @Home Network
      425 Broadway St
      Redwood City, CA 94063  US
      650-556-5399 650-556-6666
   Billing Contact:
      Du, Trung  (TD2157)  trung@CORP.HOME.NET
      @Home Network
      425 Broadway Street
      Redwood City, CA 94063-3126
      650-569-5437 (FAX) 650-569-5100

   Record last updated on 14-Dec-2000.
   Record expires on 19-May-2006.
   Record created on 18-May-1995.
   Database last updated on 27-Jan-2001 07:42:30 EST.

   Domain servers in listed order:

   NS1.HOME.NET			24.0.0.27
   NS2.HOME.NET			24.2.0.27


[david@atila david]$ 

isi.edu
=======

[david@atila david]$ whois isi.edu
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: ISI.EDU
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: www.networksolutions.com
   Name Server: NS.ISI.EDU
   Name Server: EAST.ISI.EDU
   Name Server: VENERA.ISI.EDU
   Updated Date: 11-mar-2000


>>> Last update of whois database: Fri, 26 Jan 2001 12:10:24 EST <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.


[whois.networksolutions.com]

The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
University of Southern California (ISI-DOM)
   Information Sciences Institute
   4676 Admiralty Way, Suite 1001
   Marina del Rey, CA 90292-6695  US

   Domain Name: ISI.EDU

   Administrative Contact, Technical Contact, Billing Contact:
      Action  (ACT-ORG)  action@ISI.EDU
      USC/Information Sciences Institute
      4676 Admiralty Way; Suite 1001
      Marina del Rey, CA 902921.1.3 Información WHOIS

home.net
========
      US
      310-822-1511 x 289 Fax- 310-827-2637

   Record last updated on 01-Nov-2000.
   Record created on 10-Mar-1986.
   Database last updated on 27-Jan-2001 07:42:30 EST.

   Domain servers in listed order:

   VENERA.ISI.EDU		128.9.176.32
   NS.ISI.EDU			128.9.128.127
   EAST.ISI.EDU			38.245.76.2


[david@atila david]$ 


ep.net
======
[david@atila david]$ whois ep.net
[whois.crsnic.net]

Whois Server Version 1.3

Domain names in the .com, .net, and .org domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: EP.NET
   Registrar: NETWORK SOLUTIONS, INC.
   Whois Server: whois.networksolutions.com
   Referral URL: www.networksolutions.com
   Name Server: NS.ISI.EDU
   Name Server: DOT.EP.NET
   Name Server: FLAG.EP.NET
   Updated Date: 02-jan-2001


>>> Last update of whois database: Fri, 26 Jan 2001 12:10:24 EST <<<

The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and
Registrars.


[whois.networksolutions.com]
The Data in Network Solutions' WHOIS database is provided by Network
Solutions for information purposes, and to assist persons in obtaining
information about or related to a domain name registration record.
Network Solutions does not guarantee its accuracy.  By submitting a
WHOIS query, you agree that you will use this Data only for lawful
purposes and that, under no circumstances will you use this Data to:
(1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail
(spam); or  (2) enable high volume, automated, electronic processes
that apply to Network Solutions (or its systems).  Network Solutions
reserves the right to modify these terms at any time.  By submitting
this query, you agree to abide by this policy.

Registrant:
ISI (EP2-DOM)
   PO 12317
   MARINA DEL REY, CA 90295  US

   Domain Name: EP.NET

   Administrative Contact, Technical Contact, Billing Contact:
      Manning, Bill  (WM110)  bmanning@KAROSHI.COM
      po 12317
      marina del rey, CA 90295
      310-322-8102

   Record last updated on 02-Jan-2001.
   Record expires on 10-Dec-2002.
   Record created on 09-Dec-1994.
   Database last updated on 27-Jan-2001 07:42:30 EST.

   Domain servers in listed order:

   DOT.EP.NET			198.32.2.10
   FLAG.EP.NET			198.32.4.13
   NS.ISI.EDU			128.9.128.127


[david@atila david]$ 



And finally let us see what they offer on the web:


www.home.net   Alive. It is a cable/DSL ISP.
www.isi.edu    Alive. Information Science Institute of Univ. of Southern California.
www.ep.net     Alive. Lists ISP interconexion providers.



CONCLUSION
==========

The attack came from the follwing IP address:

Name:    ATHM-216-216-xxx-2.home.net
Address:  216.216.74.2

This IP belongs to home.net, which is a cable/DSL ISP. It might be dynamic or
it may have changed owner by now.