Re: intrusion ?

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 05/03/05

  • Next message: Duane Arnold: "Re: Is a firewall required..."
    Date: Tue, 03 May 2005 14:55:06 -0500
    
    

    In article <d5611n$8jf$1@nwrdmz03.dmz.ncs.ea.ibs-infra.bt.com>, GavT wrote:

    >I think someone is trying to access my router from the net. my log shows the
    >following incoming connection:
    >
    >prot remote ip rem port local ip local prt
    >
    >tcp 67.43.4.157 http 80 192.168.2.2 1077

    So, what person on your net it trying to connect to a web server on
    67.43.4.157? (Actually, it looks like some web forum.) Is your host
    infected, or are you just trying to autoload some site?

    >There are at least 50 attempts over 5 minutes

    And?

    >There is out going trafic from my pc to the same ip but none from the
    >router.

    It could be that your router is mis-configured, but any time you see traffic
    from a "high" port (over 1025) to a "low" port on a remote site, the odds
    that the traffic did NOT originate on your host are about the same as finding
    that your neighbor is actually an extra-terrestrial - it's possible, but
    EXTREMELY unlikely.

    >what do you think.? a ip lookup comes back negetive

    [compton ~]$ whois 67.43.4.157
    [whois.arin.net]
    NetRange: 67.43.0.0 - 67.43.15.255
    OrgName: Liquid Web
    OrgID: LQWB
    Address: 4210 Creyts Rd.
    City: Lansing
    StateProv: MI
    PostalCode: 48917
    Country: US

    [snip]

    [compton ~]$ rwhois rwhois.liquidweb.com 67.43.4.157
    %rwhois V-1.5:003eff:00 rwhois.liquidweb.com (by Network Solutions, Inc.
    V-1.5.7.4)
    network:Class-Name:network
    network:ID:NETBLK-UFOHOSTING.67.43.4.157/32
    network:Auth-Area:67.43.0.0/20
    network:Network-Name:UFOHOSTING-67.43.4.157
    network:IP-Network:67.43.4.157/32
    network:IP-Network-Block:67.43.4.157-67.43.4.157
    network:Organization;I:UFOHOSTING
    network:Org-Name:ufo hosting
    network:Street-Address:116 paterson street birkenhead
    network:City:merseyside
    network:State:wirral mer
    network:Postal-Code:ch414bj
    network:Country-Code:UK
    network:Tech-Contact;I:fookum8@hotmail.com
    network:Abuse:abuse@liquidweb.com
    network:Created:20050503
    network:Updated:20050503
    network:Updated-By:admin@liquidweb.com

    I'm told that using a 'hotmail' address for business is a violation of
    hotmail's Acceptable Use Policy. It's rather interesting that the domain
    information only reached the referral server today.

            Old guy


  • Next message: Duane Arnold: "Re: Is a firewall required..."