Re: X11 Outgoing

From: Ansgar -59cobalt- Wiechers (bugtraq_at_planetcobalt.net)
Date: 11/04/03

  • Next message: Shawn Duffy: "Re: easiest way to keep a Redhat 9 box" 
    Date: Tue, 4 Nov 2003 09:18:35 +0100
To: security-basics@securityfocus.com

    On 2003-10-31 Brad Arlt wrote:
    > Your example alert looks like a connection to
    > pD4B9F42A.dip.t-dialin.net [212.185.244.42] from whatever you local ip
    > is/was. Many of the hacked machines I have seen over the last few
    > years are in the dip.t-dialin.net. That said, I am sure they are a
    > ISP with real clients doing purhaps legitimate work.

    Just a sidenote:

    dip.t-dialin.net is used by T-Online (ISP subsidiary of the german
    T-Com) for dialup-users.

    > If you can see no reason why your machine(s) should connect to
    > pD4B9F42A.dip.t-dialin.net[212.185.244.42] then you might have a
    > problem. Look into it further. It either should be stopped, or is
    > normal network traffic that you should document and alter a rule or
    > two so you don't get this alert without good cause.
    >
    > If you feel lazy, just block that IP at your firewall and wait for a
    > phone call. This isn't the most customer friendly approach, but
    > requires almost no effort on your part.

    I doubt this will work because IP addresses resolving to
    something.dip.t-dialin.net are dynamically assigned when T-Online
    customers connect to the internet. The suspected attacker will most
    likely disconnect, reconnect and have another IP. You would have to
    block the whole T-Online dialin address space for this measure to be
    effective.

    > The downside is if the machine is hacked or hackable you have done
    > nothing to stop that.

    This should be fixed in the first place (provided this actually *is* an
    attack). Everything else will be dealing with symptoms rather than the
    actual disease.

    Regards
    Ansgar Wiechers

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------

  • Next message: Shawn Duffy: "Re: easiest way to keep a Redhat 9 box"
    Loading