Re: intrusion ?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Tue, 03 May 2005 14:55:06 -0500
In article <email@example.com>, GavT wrote:
>I think someone is trying to access my router from the net. my log shows the
>following incoming connection:
>prot remote ip rem port local ip local prt
>tcp 188.8.131.52 http 80 192.168.2.2 1077
So, what person on your net it trying to connect to a web server on
184.108.40.206? (Actually, it looks like some web forum.) Is your host
infected, or are you just trying to autoload some site?
>There are at least 50 attempts over 5 minutes
>There is out going trafic from my pc to the same ip but none from the
It could be that your router is mis-configured, but any time you see traffic
from a "high" port (over 1025) to a "low" port on a remote site, the odds
that the traffic did NOT originate on your host are about the same as finding
that your neighbor is actually an extra-terrestrial - it's possible, but
>what do you think.? a ip lookup comes back negetive
[compton ~]$ whois 220.127.116.11
NetRange: 18.104.22.168 - 22.214.171.124
OrgName: Liquid Web
Address: 4210 Creyts Rd.
[compton ~]$ rwhois rwhois.liquidweb.com 126.96.36.199
%rwhois V-1.5:003eff:00 rwhois.liquidweb.com (by Network Solutions, Inc.
network:Street-Address:116 paterson street birkenhead
I'm told that using a 'hotmail' address for business is a violation of
hotmail's Acceptable Use Policy. It's rather interesting that the domain
information only reached the referral server today.