[Dshield] Please help me and oplogies for the haste of my question but I have been so much hurt trough hacking one day...

Ed Truitt ed.truitt at etee2k.net
Tue Nov 26 14:24:23 GMT 2002


OK, let's take a look-see here...

Entry #1 - [SRC=] comes from "laridian.com" out of Cedar Rapids Iowa (USA),
pointing at your [DPT=] "Ident" or "auth" service port (113).  While there
are known trojans that use the port, there are also legit users of that port
(IIRC, SMTP transactions on some MTAs use Ident to validate the sender.)
Verdict:  Unsure if it is an intrusion attempt or not.  Email address on the
domain record in WHOIS is craigr at laridian.com, contact him if you have any
questions.

Entry #2 - [SRC=] comes from "na-149-33.na.avantel.net.mx.", an ISP in
Mexico I think, pointing at your [DPT=] "HTTPS" port (443).  Verdict:
Unless you are running a Web server using SSL, this is probably a scan/probe
for an SSH bug (Apache mod_ssl, most likely).  The email address for this
one is noc at avantel.net.mx.  BTW, I have had several occasions when I run
across this ISP.  Open relays spamming, various probes/scans.

On the PS:  No, I haven't heard of that.

Hope this helps.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "dominique fiori" <dominiquefiori at numericable.fr>
To: <list at dshield.org>
Sent: Tuesday, November 26, 2002 7:25 AM
Subject: [Dshield] Please help me and oplogies for the haste of my question
but I have been so much hurt trough hacking one day...


> Nov 26 14:13:03 MYPC kernel: IN=eth0 OUT=
> MAC=00:02:e3:20:f0:43:00:05:74:f6:60:54:08:00 SRC=66.70.82.80 DST=MY IP
> LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=12012 DF PROTO=TCP SPT=38933 DPT=113
> WINDOW=5840 RES=0x00 SYN URGP=0
>
> Nov 26 14:15:07 MY PC  kernel: IN=eth0 OUT=
> MAC=00:02:e3:20:f0:43:00:05:74:f6:60:54:08:00 SRC=148.245.149.33 DST=MY IP
> LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=9765 DF PROTO=TCP SPT=49971 DPT=443
> WINDOW=5840 RES=0x00 SYN URGP=0




More information about the list mailing list