[Dshield] intrusion identification

Jon R. Kibler Jon.Kibler at aset.com
Sat Mar 15 19:19:14 GMT 2003


Both IPs are Level3.com customers. I suspect that they are dial-up IP addresses.

Level3 does not publish suballocation information, so the most you could hope to do is a little detective work on your own. HOWEVER, be aware that some jurisdictions would consider such probes to be criminal acts. That said, if you want to take the chance, you can try to telnet to port 25 on each IP and see if they are running an MTA that will give away who they are, such as:
	telnet 63.208.81.100 25
Or you can see if they have a web site at that IP via:
	http://63.208.81.100/

You can also complain to abuse at level3.com, but it won't get you anywhere.

Your best bet is to submit your logs to DShield.

BTW, what you are reporting is VERY common. It is not unusual to see a few hundred such probes per hour some days.

Good Luck!

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA


Peter Lindgren wrote:
> 
> My norton personal firewall blocked two incomming access atempts that were
> attempting to aceess my netbios does anyone know how to find out who made
> the attempt. The remote addresses were 63.208.81.100:2629 and
> 63.208.112.117:4840
> 
> Peter Lindgren
> 
> _________________________________________________________________
> STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list