[Dshield] I think I caught something now what do I do?

Susan pobox2 at pinn.net
Wed Mar 20 05:04:18 GMT 2002


You have to open this up wide to unwrap the lines, but here it is, I've 
been sniffing my own line. I brought in some mail tonight and it shipped 
itself out or tried to connect me somewhere. But I have the feed so now 
what?

first I get the mail: (XX.XX.XX.XX is me)

Tue Mar 19 22:21:04 2002; TCP; eth0; 52 bytes; from mail.pinn.net:pop3 
to XX.XX.XX.XX:1171 (source MAC addr XX.XX.XX.XX); FIN acknowleged
Tue Mar 19 22:21:04 2002; TCP; eth0; 52 bytes; from mail.pinn.net:pop3 
to XX.XX.XX.XX:1171 (source MAC addr XX.XX.XX.XX); FIN sent; 12 packets, 
992 bytes

Then a couple seconds later out goes a connection (and I didn't open 
anything or go anywhere) and obviously aux-209-217-33-145.dallas.net is 
not a website:

Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1142 to 
aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN 
sent; 13 packets, 2291 bytes
Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1140 to 
aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN 
sent; 13 packets, 2830 bytes
Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1139 to 
aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN 
sent; 12 packets, 2762 bytes
Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1141 to 
aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN 
sent; 15 packets, 2924 bytes
Tue Mar 19 22:21:09 2002; TCP; eth0; 52 bytes; from XX.XX.XX.XX:1143 to 
aux-209-217-33-145.dallas.net:http (source MAC addr XX.XX.XX.XX); FIN 
sent; 9 packets, 1542 bytes

it's an interesting question
whois --> "aux-209-217-33-145.dallas.net:http" ?
and what did I send them?

a couple minutes later I connect to the web:

Tue Mar 19 22:23:19 2002; UDP; eth0; 67 bytes; source MAC address 
XX.XX.XX.XX; from XX.XX.XX.XX:1042 to 
ns02.centrl01.va.comcast.net:domain  - that's as should be, but where's 
the response?

instead then next is an attempted connection from my machine to this one...

Tue Mar 19 22:23:19 2002; TCP; Connection XX.XX.XX.XX:1128 to 
pcp890158pcs.centrl01.va.comcast.net:http timed out, 5 packets, 300 
bytes; opposite direction 0 packets, 0 bytes


whois --> pcp890158pcs.centrl01.va.comcast.net ?
trying to masquerade as my dns? pcp890158pcs ?
That is someones computer for pete's sake!

I saw this happen the other night too to the same addresses which is why 
the heavy sniffer gear is going on.


Anyone have any suggestions or ideas? John I will work on that procmail 
package as quick as can be! I checked all recent mail that came in and 
didn't find any links. It is perhaps this connection snuck in with the 
mail? we are being CONSTANTLY pounded. I put a bag over the modem so as 
not to have to look at it flashing incessantly.






More information about the list mailing list