Re: Odd identd behavior
Date: Mon, 14 Nov 2005 17:33:16 -0800 To: Mike Owen <firstname.lastname@example.org>
Just to reiterate, I'd simply dig or nslookup the ip addresses (or use one
of the many nslookup webpages) and see if they have some contact info.
Really all you care about at this point is passing off some information to
the admin that it looks like he has some nefarious activity on his network.
You might also want to give him your ip address (and maybe mac) so he can
sift your info out of any forensics he may do. Anything else is just
Quoting Mike Owen <email@example.com>:
> Just to clarify some of the confusion:
> I'm looking at logs on *my* email server, and network packet captures
> from *my* network. My email server is sending out ident requests, to
> port 113 on the affected destination servers. The replies received,
> instead of being in the standard format as dictated by RFC 1413, are
> coming back with the "220 ..:: €lit€-Cr€w Rulez ::..." and "530 Not
> logged in..." messages. These messages are coming from the destination
> servers. As an earlier poster stated, they fit the format of an ftp
> transaction, aka RFC 959.
> My server is (to my knowledge) acting fine. Most destination servers
> return a correctly formatted ident reply when my server contacts them.
> I'm only receiving the "220 ..:: €lit€-Cr€w Rulez ::..." messages from
> 6 (six) distinct IPs.
> The comment about the backdoor was idle speculation upon my part about
> what these messages signified. After reviewing RFC 959 (ftp), I'm
> quite certain they are in fact coming from an ftp daemon listening on
> port 113 (ident).
> I don't really want to post IPs here to a public mailing list, but
> they appear to be scattered through the US/Europe.
> I hope this clears things up.