Re: intrusion ?

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 05/03/05

  • Next message: Duane Arnold: "Re: Is a firewall required..."
    Date: Tue, 03 May 2005 14:55:06 -0500
    
    

    In article <d5611n$8jf$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com>, GavT wrote:

    >I think someone is trying to access my router from the net. my log shows the
    >following incoming connection:
    >
    >prot remote ip rem port local ip local prt
    >
    >tcp 67.43.4.157 http 80 192.168.2.2 1077

    So, what person on your net it trying to connect to a web server on
    67.43.4.157? (Actually, it looks like some web forum.) Is your host
    infected, or are you just trying to autoload some site?

    >There are at least 50 attempts over 5 minutes

    And?

    >There is out going trafic from my pc to the same ip but none from the
    >router.

    It could be that your router is mis-configured, but any time you see traffic
    from a "high" port (over 1025) to a "low" port on a remote site, the odds
    that the traffic did NOT originate on your host are about the same as finding
    that your neighbor is actually an extra-terrestrial - it's possible, but
    EXTREMELY unlikely.

    >what do you think.? a ip lookup comes back negetive

    [compton ~]$ whois 67.43.4.157
    [whois.arin.net]
    NetRange: 67.43.0.0 - 67.43.15.255
    OrgName: Liquid Web
    OrgID: LQWB
    Address: 4210 Creyts Rd.
    City: Lansing
    StateProv: MI
    PostalCode: 48917
    Country: US

    [snip]

    [compton ~]$ rwhois rwhois.liquidweb.com 67.43.4.157
    %rwhois V-1.5:003eff:00 rwhois.liquidweb.com (by Network Solutions, Inc.
    V-1.5.7.4)
    network:Class-Name:network
    network:ID:NETBLK-UFOHOSTING.67.43.4.157/32
    network:Auth-Area:67.43.0.0/20
    network:Network-Name:UFOHOSTING-67.43.4.157
    network:IP-Network:67.43.4.157/32
    network:IP-Network-Block:67.43.4.157-67.43.4.157
    network:Organization;I:UFOHOSTING
    network:Org-Name:ufo hosting
    network:Street-Address:116 paterson street birkenhead
    network:City:merseyside
    network:State:wirral mer
    network:Postal-Code:ch414bj
    network:Country-Code:UK
    network:Tech-Contact;I:fookum8@hotmail.com
    network:Abuse:abuse@liquidweb.com
    network:Created:20050503
    network:Updated:20050503
    network:Updated-By:admin@liquidweb.com

    I'm told that using a 'hotmail' address for business is a violation of
    hotmail's Acceptable Use Policy. It's rather interesting that the domain
    information only reached the referral server today.

            Old guy


  • Next message: Duane Arnold: "Re: Is a firewall required..."

    Relevant Pages

    • Re: DMZ Arguments....
      ... A DMZ is used with a firewall, ... link to the rest of the network. ... A common approach for an attacker is to break into a host that's vulnerable ... the case of a web server, unauthenticated and untrusted users might be ...
      (Security-Basics)
    • Re: Moving web server to new IP
      ... I need to move our web server to a new IP range. ... set up a host in your own domain called 'vhost.your.domain.com' or ... don't want to manually edit 250 zone files, you can use perl to change ... are the two IP addresses in the same network segments or at the same ...
      (Debian-User)
    • Re: Macro code
      ... >> All a web server is, is a program that accepts incoming connection ... >> requests, grants a connection, and satisfy's requests. ... the array index to designate which thread should use it. ...
      (comp.os.vms)
    • Re: Q: Is that possible to start my own basement web server with Linux?
      ... >> Linux don't prevent you from running your own web host in your basement, ... >> streams, this will consume a lot of your hard drive space and bandwidth, ... >> the bandwidth while the rest gets messages about the web server being to ...
      (alt.linux)
    • Re: Why use software for geneaology?
      ... > phpGedView? ... Any advice on who to rent space from for this ... the plusses of running my own web server far outweigh the minuses. ... through to upload your gedcom/genealogy files to the remote host, ...
      (soc.genealogy.computing)