Re: questionable access to my computer - please help

From: Wolfgang Kueter (wolfgang@shconnect.de)
Date: 10/10/02 

From: Wolfgang Kueter <wolfgang@shconnect.de>
Date: Thu, 10 Oct 2002 04:10:37 +0200

taharka wrote:

> The following link is a security report on that addy at mynetwatchman.com
> : http://www.mynetwatchman.com/LID.asp?IID=8254594
> Looks like this guys been at it for a while.
>
> Here is the info on that addy's ISP:
>
> 206.13.29.12 (dns1-la.lsan03.pacbell.net)

> [a lot of totally irrelevat stuff deleted]

> Port 1099:RATs: Blood Fest Evolution, RAT
> Download portref.zip from: wilders.org for a full port reference listing.
>
> If the firewall is blocking internet access to that addy, there is nothing
> to worry about. Probably that nasty ole NETBIOS/e-mail worm looking for
> open shares.

Sorry, complete nonsense. I might sound harsh, but your posting shows that
you are completely clueless. Instead of posting some whois entries you
should simply have looked at the ports and protocols used:

It is udp, it is directed to Port 1099 and uses source port 53 coming from

wk@heart-of-gold:~/patch/rh73> host 206.13.29.12
12.29.13.206.IN-ADDR.ARPA domain name pointer dns1-la.lsan03.pacbell.net

which looks much like a DNS server. And something like

wk@heart-of-gold:~> nslookup www.google.com dns1-la.lsan03.pacbell.net
Server: dns1-la.lsan03.pacbell.net
Address: 206.13.29.12

Non-authoritative answer:
Name: www.google.com
Address: 216.239.35.101wk@heart-of-gold:~/patch/rh73> nslookup
www.google.com dns1-la.lsan03.pacbell.net
Server: dns1-la.lsan03.pacbell.net
Address: 206.13.29.12

Non-authoritative answer:
Name: www.google.com
Address: 216.239.35.101

even shows you that it _is_ a DNS server.

So what this stupid piece of firewall simulation did, was simply to
misinterpret a late DNS answer packet as an attack.

The only question here is what is more stupid, this firewall simulation
giving false alarms or you, who is not able to distinguish between a late
DNS answer and an attack.

Read a book about network protocols.

Wolfgang

Relevant Pages

  • Re: questionable access to my computer - please help
    ... >> If the firewall is blocking internet access to that addy, ... No, you don't sound harsh, you sound like an asshole!! ... it is directed to Port 1099 and uses source port>53 coming ... > even shows you that it _is_ a DNS server. ...
    (comp.security.firewalls)
  • Re: questionable access to my computer - please help
    ... I find that we *do* know the dest port. ... > even shows you that it _is_ a DNS server. ... > misinterpret a late DNS answer packet as an attack. ... > The only question here is what is more stupid, this firewall simulation ...
    (comp.security.firewalls)
  • Re: questionable access to my computer - please help
    ... Just because a server is running a DNS listener, ... the source port was irrelevant. ... > which looks much like a DNS server. ... > The only question here is what is more stupid, this firewall simulation ...
    (comp.security.firewalls)
  • Re: Unknown svchost.exe DNS port 53 network activity
    ... activity on my router as well as my PC LAN connection icon in the tray. ... port 53 with a remote address of my ISP's DNS server. ... No traffic can come to the machine, unless you have opened the inbound port ... Svchost allows the communication between machines in a LAN or WAN situation. ...
    (comp.security.firewalls)
  • RE: problems receiving e-mail to my server redux
    ... I installed BIND on my Linux box and set it up to start at every ... > To: Ed McCorduck ... > run a dns server if you want things to work. ... > which implies that you are trying to use port 80 for your dns server. ...
    (RedHat)