Update: 1. Colin is not dead. Since this was mailed, he and I have chatted at length and the following information was given to me by him. He DID give Eric Ginorio his password for the account here. Eric WAS the one who attempted to hack 'obscure'. Eric WAS the one who hacked skillz.303.org three times, the final time RMing the system. 2. Copies of posts made to the www.showdown.org Web Board (Run by Eric) shows that he continually posts from ycusd.k12.ca.us, pointing out that he is very likely the person behind the attacks. 3. zaheer@grid9.net has responded once, but did not provide any information at all. He stated to one degree or another, that since I didn't ask him direct/specific questions, he felt no need to respond to me. His only response to me at all was done because his anger over me mailing his upstream provider. That individual from cerbernet had mailed back the day after saying that zaheer was the one I needed to contact. Beyond that, no other admin has contacted me about this incident. =-= From root@sekurity.org Thu Feb 5 16:15:38 1998 Date: Thu, 5 Feb 1998 16:02:40 -0700 (MST) From: root To: zaheer@grid9.net, root@cerbernet.co.uk, dnr-admin@cerbernet.co.uk, root@rgv.net, info@rgv.net, root@rt66.com, wizard@rt66.com, root@ycusd.k12.ca.us Cc: daud@dimensional.com, root@sekurity.org Subject: Your system's security compromised possibly.. Hello.. As for why you are getting this mail, the reasons for each person are at the end of this file. Something in the following text does pertain to you, your system, and the possible compromise of your system's security. Before we go into all the details, consider a few things. 1. 'trensant' was Colin's (Deprave) account. He had no stable mail account so he asked me for one, and I gave him this. I told him not to use 'deprave' because of his legal situation. * It is unconfirmed at this point, but apparently Colin was killed in a car wreck a few nights ago. I sincerely hope this is a hoax and that he is doing ok. If this tragic news is correct, then there has been a serious security breach on your system potentially. 2. Very few people knew this account was here. He had sent no mail outbound from this system (according to my mail logs), and only received one piece (provided below), apparently from himself. 3. Only SSH can be used to connect to this box. So the chances of his password being 'sniffed' are almost nil. That means someone was either monitoring his connections from rgv.net (where he came from the most), had backdoored the ssh binary there (to log relevant info), or had given his password to someone. The latter is the most probably, and the first place to look is diall8.ycusd.k12 as that is where the intruder came from twice. More on that host provided below. 4. While none of the following is "proof", there is way too much circumstancial evidence for it to be ignored. =-= [The 4 logins seperated are significant because these were all made after Colin was supposedly pronounced dead from a car wreck. If that is true, all four logins are from someone else. More below last log..] trensant ttyp4 dial18.ycusd.k12 Wed Feb 4 23:15 - 23:28 (00:12) trensant ttyp2 dial18.ycusd.k12 Wed Feb 4 23:09 - 00:48 (01:39) trensant ttyp4 pm2-8.rgv.net Wed Feb 4 23:00 - 23:01 (00:01) trensant ttyp3 pm2-8.rgv.net Wed Feb 4 22:59 - 00:48 (01:49) trensant ttyp3 pm1-16.rgv.net Mon Feb 2 19:51 - 19:51 (00:00) trensant ttyp3 pm2-20.rgv.net Mon Feb 2 13:00 - 13:01 (00:00) trensant ttyp2 pm1-19.rgv.net Sun Feb 1 21:03 - 21:04 (00:00) trensant ttyp2 pm2-5.rgv.net Sun Feb 1 14:30 - 14:31 (00:01) trensant ttyp2 169-252-218.ipt. Sat Jan 31 13:01 - 13:03 (00:02) trensant ttyp2 1cust103.tnt6.ho Fri Jan 30 14:09 - 14:10 (00:01) trensant ttyp3 1cust22.tnt6.hou Thu Jan 29 15:09 - 15:11 (00:02) trensant ttyp5 1cust58.tnt2.hou Thu Jan 29 14:35 - 15:01 (00:25) trensant ttyp2 dial1.ycusd.k12. Thu Jan 29 00:48 - 00:49 (00:00) trensant ttyp1 152.172.173.216 Tue Jan 27 10:53 - 10:54 (00:01) trensant ttyp1 1cust228.tnt2.ho Mon Jan 26 23:32 - 23:32 (00:00) trensant ttyp1 152.173.25.85 Mon Jan 26 00:42 - 00:42 (00:00) trensant ttyp0 172-203-184.ipt. Sun Jan 25 22:46 - 22:47 (00:01) trensant ttyp0 1cust229.tnt2.ho Sun Jan 25 17:15 - 17:16 (00:00) trensant ttyp0 1cust224.tnt6.ho Sun Jan 25 14:18 - 14:20 (00:01) trensant ttyp0 1cust57.tnt6.hou Sun Jan 25 01:34 - 01:35 (00:00) trensant ttyp6 1cust2.tnt2.hou3 Sat Jan 24 17:37 - 17:38 (00:01) trensant ttyp6 1cust2.tnt2.hou3 Sat Jan 24 17:30 - 17:35 (00:04) [This is the output of "egrep -B 1 trensant /var/log/messages". SSH logs all incoming connections by IP, which is qutie handy as wtmp/utmp will not log full names frequently.] Feb 1 21:03:47 obscure sshd[27873]: log: Connection from 206.97.131.118 port 1038 Feb 1 21:03:57 obscure sshd[27873]: log: Password authentication for trensant accepted. Name: pm1-19.rgv.net Address: 206.97.131.118 -- Feb 2 13:00:55 obscure sshd[31387]: log: Connection from 206.97.131.149 port 1056 Feb 2 13:00:57 obscure sshd[31387]: log: Password authentication for trensant accepted. Name: pm2-20.rgv.net Address: 206.97.131.149 -- Feb 2 19:51:31 obscure sshd[965]: log: Connection from 206.97.131.115 port 1041 Feb 2 19:51:33 obscure sshd[965]: log: Password authentication for trensant accepted. Name: pm1-16.rgv.net Address: 206.97.131.115 -- Feb 4 22:59:16 obscure sshd[11741]: log: Connection from 206.97.131.137 port 1036 Feb 4 22:59:18 obscure sshd[11741]: log: Password authentication for trensant accepted. Name: pm2-8.rgv.net Address: 206.97.131.137 -- Feb 4 23:00:21 obscure sshd[11765]: log: Connection from 206.97.131.137 port 1040 Feb 4 23:00:26 obscure sshd[11765]: log: Password authentication for trensant accepted. Name: pm2-8.rgv.net Address: 206.97.131.137 -- Feb 4 23:09:19 obscure sshd[11772]: log: Connection from 198.31.88.238 port 1047 Feb 4 23:09:29 obscure sshd[11772]: log: Password authentication for trensant accepted. Name: dial18.ycusd.k12.ca.us Address: 198.31.88.238 -- Feb 4 23:15:03 obscure sshd[11783]: log: Connection from 198.31.88.238 port 1064 Feb 4 23:15:16 obscure sshd[11783]: log: Password authentication for trensant accepted. Name: dial18.ycusd.k12.ca.us Address: 198.31.88.238 [k12.ca.us - Also note that Bronc lives in CA.] =-= [trensant is logged in twice here, once from rgv.net which is common, and a new host ycusd.k12 which is not.] 12:47am up 29 days, 7:34, 5 users, load average: 0.10, 0.04, 0.01 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT jericho ttyp0 ember.comsite.ne 12:45am 1:03 0.62s 0.56s irc d1s irc.emo jericho ttyp1 flatland.dimensi 12:47am 1.00s 0.25s 0.02s w trensant ttyp2 dial18.ycusd.k12 11:09pm 1:38m 0.06s 0.06s -pine trensant ttyp3 pm2-8.rgv.net 10:59pm 1:48m 0.06s 0.06s pine jobe ttyp4 tfx-us2-09.ix.ne 12:10am 20:36 0.07s 0.07s -bash =-= grep -i trensant /var/log/messages Feb 1 21:03:57 obscure sshd[27873]: log: Password authentication for trensant accepted. Feb 2 13:00:57 obscure sshd[31387]: log: Password authentication for trensant accepted. Feb 2 19:51:33 obscure sshd[965]: log: Password authentication for trensant accepted. Feb 3 20:53:59 obscure ffingerd[5734]: attempt to finger "trensent" from 194.8.235.10 [194.8.235.10] Feb 4 22:59:18 obscure sshd[11741]: log: Password authentication for trensant accepted. Feb 4 23:00:26 obscure sshd[11765]: log: Password authentication for trensant accepted. Feb 4 23:09:29 obscure sshd[11772]: log: Password authentication for trensant accepted. Feb 4 23:15:16 obscure sshd[11783]: log: Password authentication for trensant accepted. Name: babbage.grid9.net Address: 194.8.235.10 [grid9.net is the system where Bronc Buster has had his account for some time. The time of this finger is the same night I heard Colin had apparently been in the car wreck. Note: I say the same time *I heard* the news.. not when he was supposedly in the wreck. The exact time and details are unknown, also lending to my doubt.] =-= [The only mail in his inbox. CVALENCIA = Colin Valencia] >From CVALENCIA@panam1.panam.edu Mon Feb 2 15:21:31 1998 Return-Path: Received: from PANAM3.PANAM.EDU (panam3.panam.edu [129.113.1.6]) by obscure.sekurity.org (8.8.7/8.8.nospam) with ESMTP id PAA32092 for ; Mon, 2 Feb 1998 15:21:30 -0700 From: CVALENCIA@panam1.panam.edu Received: from panam1.panam.edu by panam1.panam.edu (PMDF V5.1-9 #24254) id <01IT3XFW8JSG8WW8ZF@panam1.panam.edu> for TRENSANT@SEKURITY.ORG; Mon, 2 Feb 1998 15:15:40 CST Date: Mon, 02 Feb 1998 15:15:39 -0600 (CST) Subject: I love my monkey To: TRENSANT@SEKURITY.ORG Message-id: <01IT3XFW8TG28WW8ZF@panam1.panam.edu> Organization: The University of Texas-Pan American X-VMS-To: TRENSANT@SEKURITY.ORG MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Status: RO X-Status: monkey monkey moneky =-= [/home/trensant/mail/sent-mail This is where /etc/passwd was mailed out, to deprave@showdown.org This is significant because if Colin was deceased, then the admin of showdown.org would have been the only other person who could have read this mail, or a hacker on that system as well. Why does this matter? A copy of /etc/passwd was mailed to jericho@dim.com from Carolyn Meinel. Carolyn definitely has knowledge of who did this and is not sharing. The other blame can fall on either a hacker on showdown.org, or the admin (Bronc Buster). From dimensional.com's mail logs, we see: Feb 4 22:18:45 blackhole sendmail[12383]: WAA12383: from=, size=3445, class=0, pri=334 45, nrcpts=1, msgid=, proto=SMTP, relay=trensant@obscure.sekurity.org [206.124.30.250] Feb 4 22:18:49 blackhole sendmail[12385]: WAA12383: to=, delay=00:00:04, xdelay=00:00:0 4, mailer=esmtp, relay=mailgate.grid9.net. [194.8.235.10], stat=Sent (GAA12883 Message accepted for delivery) The mail was delivered to showdown.org, and was read by someone there, and then forwarded to Carolyn Meinel.] >From trensant@sekurity.org Wed Feb 4 23:22:06 1998 Status: O X-Status: Date: Wed, 4 Feb 1998 23:22:04 -0700 (MST) From: trensant To: deprave@showdown.org Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="2093875486-784082440-886659724=:11786" --2093875486-784082440-886659724=:11786 Content-Type: TEXT/PLAIN; charset=US-ASCII --2093875486-784082440-886659724=:11786 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=passwd Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: testing cm9vdDp4OjA6MDpyb290LCwsOi9yb290Oi9iaW4vYmFzaA0KYmluOng6MTox OmJpbjovYmluOi9kZXYvbnVsbA0KZGFlbW9uOng6MjoyOmRhZW1vbjovc2Jp bjovZGV2L251bGwNCmFkbTp4OjM6NDphZG06L3Zhci9hZG06L2Rldi9udWxs DQpscDp4OjQ6NzpscDovdmFyL3Nwb29sL2xwZDovZGV2L251bGwNCmFkbWlu Ong6NjoxMDA6c2VrdXJpdHkgYWRtaW46L2hvbWUvYWRtaW46L2Jpbi9iYXNo DQptYWlsOng6ODoxMjptYWlsOi92YXIvc3Bvb2wvbWFpbDovZGV2L251bGwN Cm5ld3M6eDo5OjEzOm5ld3M6L3Vzci9saWIvbmV3czovZGV2L251bGwNCnV1 Y3A6eDoxMDoxNDp1dWNwOi92YXIvc3Bvb2wvdXVjcHB1YmxpYzovZGV2L251 bGwNCm5vYm9keTp4OjY1NTM0OjEwMDpub2JvZHk6L2Rldi9udWxsOg0KaW5m bzp4OjExOjEwMDpzeXN0ZW0gaW5mbzovaG9tZS8uaW5mbzovYmluL3BpbmUN CmZ0cDp4OjQwNDoxOjovaG9tZS9mdHA6L2Jpbi9mYWxzZQ0KZ3Vlc3Q6eDo0 MDU6MTAwOmd1ZXN0Oi9kZXYvbnVsbDovZGV2L251bGwNCmFsaWFzOng6OTkw MToyMTA4OmFsaWFzOi92YXIvcW1haWwvYWxpYXM6L2Jpbi90cnVlDQpqZXJp Y2hvOng6MTAwMDoxMDA6UGVycGV0dWFsIEFidXNlOi9ob21lL2plcmljaG86 L2Jpbi9iYXNoDQp0cHVibGljOng6MTAwMToxMDA6Sm9obiBRLiBQdWJsaWM6 L2hvbWUvdHB1YmxpYzovYmluL2Jhc2gNCnJhZ2U6eDoxMDAyOjEwMDp0aGUg YWxpZW4sLCw6L2hvbWUvcmFnZTovYmluL2Jhc2gNCnRhY2Q6eDoxMDAzOjEw MDpUQUNELCwsOi9ob21lL3RhY2Q6L2Jpbi9iYXNoDQpzd2I6eDoxMDA0OjEw MDpTY290dCBXLiBCZWxsOi9ob21lL3N3YjovYmluL2Jhc2gNCmNhdmFsaWVy Ong6MTAwNzoxMDA6Q2FybCBWYWxpZXI6L2hvbWUvY2F2YWxpZXI6L2Jpbi9i YXNoDQp2b3lhZ2VyOng6MTAwODoxMDA6VmFuY2UgWWFnZXI6L2hvbWUvdm95 YWdlcjovYmluL2Jhc2gNCnBoYWxhbng6eDoxMDEwOjEwMDpwaGFsYW54Oi9o b21lL3BoYWxhbng6L2Jpbi9mYWxzZQ0Kc2VrbWFpbDp4OjEwMTY6MTAwOlNl a3VyaXR5Lk9yZyBNYWlsIEFkbWluaXN0cmF0aW9uLCwsOi9ob21lL3Nla21h aWw6L2Jpbi9iYXNoDQpib2d1czp4OjEwMjE6MTAwOklnbm9yZSAtLSBUZXN0 LCwsOi9ob21lL2JvZ3VzOi9iaW4vYmFzaA0KbWFqb3I6eDoxMDI3OjEwMDpN YXJrIEpvcjovaG9tZS9tYWpvcjovYmluL2Jhc2gNCmRlbW9uaWthOng6MTAz Njo5OTpNb25pa2EgRGVNaXJlOi9ob21lL2RlbW9uaWthOi9iaW4vYmFzaA0K c2hvazp4OjEwODM6MTAwOlNob2ssLCw6L2hvbWUvc2hvazovYmluL2Jhc2gN Cm1keTp4Ojk5MzM6MTAwOk1vZGlmeSwsLDovaG9tZS9tZHk6L2Jpbi9iYXNo DQpwcmVhY2hlcjp4OjIwMDA6MTAwOlByZWFjaGVyOi9ob21lL3ByZWFjaGVy Oi9iaW4vdGNzaA0KYm1hcnRpbjp4OjIwMDE6MTAwOkJyaWFuIE1hcnRpbjov aG9tZS9ibWFydGluOi9iaW4vYmFzaA0KcHJlc2VuY2U6eDoxMDExOjEwMDpU aGUgUHJlc2VuY2U6L2hvbWUvcHJlc2VuY2U6L2Jpbi9iYXNoDQpwZWVkZWU6 Kjo5OTM0OjEwMDpwZWVkZWU6L2hvbWUvcGVlZGVlOi9iaW4vYmFzaA0KZnli ZXI6Kjo5OTM1OjEwMDpmeWJlcjovaG9tZS9meWJlcjovYmluL2Jhc2gNCmRy bm86Kjo5OTM2OjEwMDpEb2N0b3IgTm86L2hvbWUvZHJubzovYmluL3Rjc2gN CmpvYmU6Kjo5OTM3OjEwMDpKb2JlOi9ob21lL2pvYmU6L2Jpbi9iYXNoDQpy YWRpdW06Kjo5OTM4OjEwMDpSYWRpdW06L2hvbWUvcmFkaXVtOi9iaW4vYmFz aA0KdHJlbnNhbnQ6KjoxMDAwMTo5OTp0cmVuc2FudDovaG9tZS90cmVuc2Fu dDovYmluL3BpbmUNCnZvbDoqOjEwMDAyOjEwMDpWb2xhdGlsZTovaG9tZS92 b2w6L2Jpbi9iYXNoDQpzb2xhcjoqOjEwMDAzOjEwMDpTb2xhciBEaXo6L2hv bWUvc29sYXI6L2Jpbi9iYXNoDQo= --2093875486-784082440-886659724=:11786-- =-= [Despite her claim it could have been reconstructed, it is very obvious it a) couldn't have been, b) wasn't. First, notice the last entry of the passwd file: 'solar'. This account was created: Wed Feb 4 18:36:58 1998 Account solar id=10003 gr=users 'Solar Diz' created by root That is roughly 5 hours before the password file was mailed out. During that time, 'solar' had only logged in once, and had sent no mail. Furthermore, the locked out entry 'phalanx' (which has never sent mail) was included. Carolyn Meinel has direct knowledge of who was on this system illegally and will not give that information to me. This follows rumors of her involvement with the breakin of skillz.303.org a few days ago.] >From cmeinel@techbroker.com Thu Feb 5 12:40:39 1998 Received: from Rt66.com (root@mack.rt66.com [198.59.162.1]) by blackhole.dimensional.com (8.8.7/8.8.nospam) with ESMTP id IAA18848 for ; Thu, 5 Feb 1998 08:18:47 -0700 (MST) Received: from Lovely_lady (pma29.rt66.com [198.59.176.190]) by Rt66.com (8.8.7/8.8.6) with SMTP id IAA05322 for ; Thu, 5 Feb 1998 08:20:10 -0700 (MST) Date: Thu, 5 Feb 1998 08:20:10 -0700 (MST) Message-Id: <2.2.16.19980205081735.10df6e4e@techbroker.com> X-Sender: cmeinel@techbroker.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: jericho@dimensional.com From: "Carolyn P. Meinel" Subject: Does this look familar? Brain, anyone could have created this password file simply by using info on who had been sending mail from sekurity.org. I'm not going to fall for the idea that it is proof someone has broken into your box. Your experience with that so-called bash history file taught me a thing or two:):) Hopwever, if this builds up into a major assault on Dimensional for hosting the static IPs for 303 and sekurity, I will be delighted to write it up for a GTMHH and the Hacker Wars book I'm working on now, and to cooperate fully with the FBI. I have made no agreements with ANYONE to hide felonies in exchange for inside information. root:x:0:0:root,,,:/root:/bin/bash bin:x:1:1:bin:/bin:/dev/null daemon:x:2:2:daemon:/sbin:/dev/null adm:x:3:4:adm:/var/adm:/dev/null lp:x:4:7:lp:/var/spool/lpd:/dev/null admin:x:6:100:sekurity admin:/home/admin:/bin/bash mail:x:8:12:mail:/var/spool/mail:/dev/null news:x:9:13:news:/usr/lib/news:/dev/null uucp:x:10:14:uucp:/var/spool/uucppublic:/dev/null nobody:x:65534:100:nobody:/dev/null: info:x:11:100:system info:/home/.info:/bin/pine ftp:x:404:1::/home/ftp:/bin/false guest:x:405:100:guest:/dev/null:/dev/null alias:x:9901:2108:alias:/var/qmail/alias:/bin/true jericho:x:1000:100:Perpetual Abuse:/home/jericho:/bin/bash tpublic:x:1001:100:John Q. Public:/home/tpublic:/bin/bash rage:x:1002:100:the alien,,,:/home/rage:/bin/bash tacd:x:1003:100:TACD,,,:/home/tacd:/bin/bash swb:x:1004:100:Scott W. Bell:/home/swb:/bin/bash cavalier:x:1007:100:Carl Valier:/home/cavalier:/bin/bash voyager:x:1008:100:Vance Yager:/home/voyager:/bin/bash phalanx:x:1010:100:phalanx:/home/phalanx:/bin/false sekmail:x:1016:100:Sekurity.Org Mail Administration,,,:/home/sekmail:/bin/bash bogus:x:1021:100:Ignore -- Test,,,:/home/bogus:/bin/bash major:x:1027:100:Mark Jor:/home/major:/bin/bash demonika:x:1036:99:Monika DeMire:/home/demonika:/bin/bash shok:x:1083:100:Shok,,,:/home/shok:/bin/bash mdy:x:9933:100:Modify,,,:/home/mdy:/bin/bash preacher:x:2000:100:Preacher:/home/preacher:/bin/tcsh bmartin:x:2001:100:Brian Martin:/home/bmartin:/bin/bash presence:x:1011:100:The Presence:/home/presence:/bin/bash peedee:*:9934:100:peedee:/home/peedee:/bin/bash fyber:*:9935:100:fyber:/home/fyber:/bin/bash drno:*:9936:100:Doctor No:/home/drno:/bin/tcsh jobe:*:9937:100:Jobe:/home/jobe:/bin/bash radium:*:9938:100:Radium:/home/radium:/bin/bash trensant:*:10001:99:trensant:/home/trensant:/bin/pine vol:*:10002:100:Volatile:/home/vol:/bin/bash solar:*:10003:100:Solar Diz:/home/solar:/bin/bash Carolyn Meinel M/B Research -- The Technology Brokers http://techbroker.com "Inside every digital circuit, there's an analog signal screaming to get out." -- Al Kovalick, Hewlett-Packard "Hex, Bugs, Rock & Roll" -- Bruce Conklin, Space Dynamics Lab, Utah State U. =-= Why are you getting mail? zaheer@grid9.net (whois output below) root/admin contact @cerbernet.co.uk (where showdown is hosted) root/admin contact @rgv.net (2 illegal logins from there) root/admin contact @dial18.ycusd.k12.ca.us (2 illegal logins from there) root/admin contact @rt66.com (Carolyn's ISP, and her involvement) daud@dimensional.com (my upstream admin) traceroute www.showdown.org 1 elite.sekurity.org (206.124.30.129) 2.111 ms * 1.85 ms 2 plasma.dimcom.net (206.124.0.1) 1.696 ms 1.424 ms 1.221 ms 3 h2-1-0.core1.Denver.priori.net (209.104.198.37) 3.44 ms 3.125 ms 2.642 ms 4 a0-0-4.core1.PaloAlto.priori.net (209.104.192.50) 35.35 ms 34.89 ms 34.831 ms 5 h0-0-0.border1.Mae-West.priori.net (209.104.192.6) 35.099 ms 35.236 ms 38.193 ms 6 * mae-west.nacamar.net (198.32.136.76) 38.261 ms 36.479 ms 7 ser0-1-2.nyc0.nacamar.net (194.162.54.149) 101.153 ms 266.14 ms 103.767 ms 8 ser1-2.linx1.nacamar.net (194.162.54.113) 219.276 ms 197.105 ms 196.364 ms 9 10-port.linx3.nacamar.net.uk (194.162.231.236) 209.724 ms 193.979 ms 194.051 ms 10 webstar.thl.cerbernet.co.uk (193.243.227.226) 194.902 ms 195.866 ms 200.854 ms 11 webstar.gw.cerbernet.co.uk (193.243.224.34) 201.383 ms WWW.SHoWDoWN.oRG (194.8.235.73) 145.029 ms 142.338 ms [rs.internic.net] Bronc Busters ShowDown.Org (SHOWDOWN2-DOM) 1234 NoStreet Yuba City, CA 95991 US Domain Name: SHOWDOWN.ORG Administrative Contact, Technical Contact, Zone Contact: Merali, Zaheer (ZM117) zaheer@GRID9.NET +44-(0)370-371114 (FAX) +44-(0)181-861-3078 Billing Contact: Erik (ERI5-ORG) bbuster@SUCCEED.NET 916-789-1234 Record last updated on 25-Aug-97. Record created on 25-Aug-97. Database last updated on 5-Feb-98 04:20:30 EDT. Domain servers in listed order: NS.WEBSTARUK.NET 194.8.231.2 NS2.WEBSTARUK.NET 194.8.231.3 UNWISE.COM 194.8.235.10 The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information.