Re: Odd identd behavior

kgp_at_nethere.com
Date: 11/15/05

  • Next message: Levenglick, Jeff: "RE: Odd identd behavior"
    Date: Mon, 14 Nov 2005 17:33:16 -0800
    To: Mike Owen <kyphros@gmail.com>
    
    

    Just to reiterate, I'd simply dig or nslookup the ip addresses (or use one
    of the many nslookup webpages) and see if they have some contact info.
    Really all you care about at this point is passing off some information to
    the admin that it looks like he has some nefarious activity on his network.
    You might also want to give him your ip address (and maybe mac) so he can
    sift your info out of any forensics he may do. Anything else is just
    kibitzing.

    Kevin

    Quoting Mike Owen <kyphros@gmail.com>:
    >
    > Just to clarify some of the confusion:
    >
    > I'm looking at logs on *my* email server, and network packet captures
    > from *my* network. My email server is sending out ident requests, to
    > port 113 on the affected destination servers. The replies received,
    > instead of being in the standard format as dictated by RFC 1413, are
    > coming back with the "220 ..:: €lit€-Cr€w Rulez ::..." and "530 Not
    > logged in..." messages. These messages are coming from the destination
    > servers. As an earlier poster stated, they fit the format of an ftp
    > transaction, aka RFC 959.
    >
    > My server is (to my knowledge) acting fine. Most destination servers
    > return a correctly formatted ident reply when my server contacts them.
    > I'm only receiving the "220 ..:: €lit€-Cr€w Rulez ::..." messages from
    > 6 (six) distinct IPs.
    >
    > The comment about the backdoor was idle speculation upon my part about
    > what these messages signified. After reviewing RFC 959 (ftp), I'm
    > quite certain they are in fact coming from an ftp daemon listening on
    > port 113 (ident).
    >
    > I don't really want to post IPs here to a public mailing list, but
    > they appear to be scattered through the US/Europe.
    >
    > I hope this clears things up.
    >
    > Mike
    >


  • Next message: Levenglick, Jeff: "RE: Odd identd behavior"

    Relevant Pages

    • Re: Server Performance Report - Date Format
      ... standard UK format. ... If you want to change the Performance Report format on Server 4 to Standard ... DO NOT CHECK "Default user account settings" ... I receive Emailed Server Performance Reports from 4 Servers (different ...
      (microsoft.public.windows.server.sbs)
    • Re: NTP time service not syncing
      ... Bruce Sanderson MVP Printing ... the Windows Time Service (managed by the w32tm ... Please continue to use one of the other servers." ... either tcp or udp port 37 for time in the format specified in RFC-868. ...
      (microsoft.public.windows.server.general)
    • Re: Floppy Disk Drive Access Error caused by HOTFIX ?
      ... Don't format floppy disks in servers? ... Unless someone else here knows specifically which hotfix. ... > I have many DELL servers that I support running Windows2003 Server ...
      (microsoft.public.security)
    • V20Z and Fujitsu Hard drive format
      ... I'm not having too much fun with these new Sun V20Z servers... ... I am able to Installed Solaris 10 1/06 from onto the V20z, ... "format" wants to label the root drive which the OS is booted off of at ... time I select the disk it wants me to label it. ...
      (comp.unix.solaris)
    • Re: A fundamental question about bytecode and nativecode
      ... native format so that it servers the clients a lot quicker? ... Then what the allure of bytecode. ... Sun servers. ... In my case, develop on a Wintel box, test on several Wintel OSes, various ...
      (comp.lang.java.programmer)