Re: questionable access to my computer - please help

From: Richard (webmin@nospam.richardwarwick.org)
Date: 10/11/02 

From: "Richard" <webmin@nospam.richardwarwick.org>
Date: Thu, 10 Oct 2002 19:55:41 -0400

Wolfgang,

Just because a server is running a DNS listener, doesn't mean it's only task
is as a DNS server.

It also doesn't mean that no one is using it to attack other servers.

As was pointed out, the source port was irrelevant. ZA didn't report the
destination port, which would resolve the issue.

If that's not clear, I'll explain. If the dest port was UDP/53, I'd be
inclined to agree with you. If it was, say UDP/137, then I'd have to say
you were full of ***. the answer is, you don't know. If you knew, we
wouldn't be having this conversation. Since you don't know, why are we
having this conversation?

'nuff said.

have a wonderful day!

"Wolfgang Kueter" <wolfgang@shconnect.de> wrote in message
news:ao2nit$vj4$1@news.shlink.de...
> taharka wrote:
>
> > The following link is a security report on that addy at
mynetwatchman.com
> > : http://www.mynetwatchman.com/LID.asp?IID=8254594
> > Looks like this guys been at it for a while.
> >
> > Here is the info on that addy's ISP:
> >
> > 206.13.29.12 (dns1-la.lsan03.pacbell.net)
>
> > [a lot of totally irrelevat stuff deleted]
>
> > Port 1099:RATs: Blood Fest Evolution, RAT
> > Download portref.zip from: wilders.org for a full port reference
listing.
> >
> > If the firewall is blocking internet access to that addy, there is
nothing
> > to worry about. Probably that nasty ole NETBIOS/e-mail worm looking for
> > open shares.
>
> Sorry, complete nonsense. I might sound harsh, but your posting shows that
> you are completely clueless. Instead of posting some whois entries you
> should simply have looked at the ports and protocols used:
>
> It is udp, it is directed to Port 1099 and uses source port 53 coming from
>
> wk@heart-of-gold:~/patch/rh73> host 206.13.29.12
> 12.29.13.206.IN-ADDR.ARPA domain name pointer dns1-la.lsan03.pacbell.net
>
> which looks much like a DNS server. And something like
>
> wk@heart-of-gold:~> nslookup www.google.com dns1-la.lsan03.pacbell.net
> Server: dns1-la.lsan03.pacbell.net
> Address: 206.13.29.12
>
> Non-authoritative answer:
> Name: www.google.com
> Address: 216.239.35.101wk@heart-of-gold:~/patch/rh73> nslookup
> www.google.com dns1-la.lsan03.pacbell.net
> Server: dns1-la.lsan03.pacbell.net
> Address: 206.13.29.12
>
> Non-authoritative answer:
> Name: www.google.com
> Address: 216.239.35.101
>
> even shows you that it _is_ a DNS server.
>
> So what this stupid piece of firewall simulation did, was simply to
> misinterpret a late DNS answer packet as an attack.
>
> The only question here is what is more stupid, this firewall simulation
> giving false alarms or you, who is not able to distinguish between a late
> DNS answer and an attack.
>
> Read a book about network protocols.
>
> Wolfgang

Loading