Re: intrusion ?
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 05/03/05
- Previous message: Crazy Aljy: "Help! .exe loads in Notepad."
- In reply to: GavT: "intrusion ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 May 2005 14:55:06 -0500
In article <d5611n$8jf$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com>, GavT wrote:
>I think someone is trying to access my router from the net. my log shows the
>following incoming connection:
>
>prot remote ip rem port local ip local prt
>
>tcp 67.43.4.157 http 80 192.168.2.2 1077
So, what person on your net it trying to connect to a web server on
67.43.4.157? (Actually, it looks like some web forum.) Is your host
infected, or are you just trying to autoload some site?
>There are at least 50 attempts over 5 minutes
And?
>There is out going trafic from my pc to the same ip but none from the
>router.
It could be that your router is mis-configured, but any time you see traffic
from a "high" port (over 1025) to a "low" port on a remote site, the odds
that the traffic did NOT originate on your host are about the same as finding
that your neighbor is actually an extra-terrestrial - it's possible, but
EXTREMELY unlikely.
>what do you think.? a ip lookup comes back negetive
[compton ~]$ whois 67.43.4.157
[whois.arin.net]
NetRange: 67.43.0.0 - 67.43.15.255
OrgName: Liquid Web
OrgID: LQWB
Address: 4210 Creyts Rd.
City: Lansing
StateProv: MI
PostalCode: 48917
Country: US
[snip]
[compton ~]$ rwhois rwhois.liquidweb.com 67.43.4.157
%rwhois V-1.5:003eff:00 rwhois.liquidweb.com (by Network Solutions, Inc.
V-1.5.7.4)
network:Class-Name:network
network:ID:NETBLK-UFOHOSTING.67.43.4.157/32
network:Auth-Area:67.43.0.0/20
network:Network-Name:UFOHOSTING-67.43.4.157
network:IP-Network:67.43.4.157/32
network:IP-Network-Block:67.43.4.157-67.43.4.157
network:Organization;I:UFOHOSTING
network:Org-Name:ufo hosting
network:Street-Address:116 paterson street birkenhead
network:City:merseyside
network:State:wirral mer
network:Postal-Code:ch414bj
network:Country-Code:UK
network:Tech-Contact;I:fookum8@hotmail.com
network:Abuse:abuse@liquidweb.com
network:Created:20050503
network:Updated:20050503
network:Updated-By:admin@liquidweb.com
I'm told that using a 'hotmail' address for business is a violation of
hotmail's Acceptable Use Policy. It's rather interesting that the domain
information only reached the referral server today.
Old guy
- Previous message: Crazy Aljy: "Help! .exe loads in Notepad."
- In reply to: GavT: "intrusion ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
