[Dshield] ...so much hurt trough hacking one day...

Johannes Ullrich jullrich at euclidian.com
Tue Nov 26 14:37:17 GMT 2002


> Nov 26 14:13:03 MYPC kernel: IN=eth0 OUT= 
> MAC=00:02:e3:20:f0:43:00:05:74:f6:60:54:08:00 SRC=66.70.82.80 DST=MY IP 
> LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=12012 DF PROTO=TCP SPT=38933 DPT=113 
> WINDOW=5840 RES=0x00 SYN URGP=0 

port 113 is used by the 'ident' daemon. Harmless if 66.70.82.80 is a
mail server or irc server you connect to.

quick scan shows neither 25,6667 or 80 listening (but 25/80 are not
sending RST either).

hostname: laridian.com

> Nov 26 14:15:07 MY PC  kernel: IN=eth0 OUT= 
> MAC=00:02:e3:20:f0:43:00:05:74:f6:60:54:08:00 SRC=148.245.149.33 DST=MY
> IP LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=9765 DF PROTO=TCP SPT=49971
> DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0

this is more interesting. SYN packet against port 443. Do you have a web
server running on your firewall? if so, this may be a slapper worm hit.

> My Pc is much slower, applications hang.
> I need your help on dicephering that message please ( if only Linux would
> be a wee, justna wee bit friendlier...."

quick check you can do: run 'tcpdump' on your linux firewall while you
are not using the windows PC. See what kind of traffic is going in/out.
Try to shutdown all apps (mail, instant messanger...). 

> PS : Have you heard of a Lucille Alonzo being a hacker, cracker ? 

nope. But I don't know them all... Google search for the name came
up essentially empty.


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021126/7956ec74/attachment.bin


More information about the list mailing list