[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sheflug] Re: Security : Port scanning




> -----Original Message-----
> From: Richard Ibbotson [mailto:richard [at] sheflug.co.uk] 
> Sent: 08 May 2003 10:28
> To: shef-lug [at] list.sheflug.org.uk
> Subject: [Sheflug] Re: Security : Port scanning
> 
> 
> Chris
> 
> 
> > My own logs are much worse than this :)
> 
> 
> In reply to myself and example of what was happening at 10.15 this 
> morning....  I was being scanned from ....   217.228.102.98....  dig 
> -x reveals....
> 
> 
> ; <<>> DiG 9.2.2 <<>> -x 217.228.102.98
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45520
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
> 
> ;; QUESTION SECTION:
> ;98.102.228.217.in-addr.arpa.   IN      PTR
> 
> ;; ANSWER SECTION:
> 98.102.228.217.in-addr.arpa. 86024 IN   PTR     
> pD9E46662.dip.t-dialin.net.
> 
> ;; AUTHORITY SECTION:
> 102.228.217.in-addr.arpa. 86024 IN      NS      dns01.btx.dtag.de.
> 102.228.217.in-addr.arpa. 86024 IN      NS      dns04.btx.dtag.de.
> 102.228.217.in-addr.arpa. 86024 IN      NS      dns51.t-ipnet.de.
> 102.228.217.in-addr.arpa. 86024 IN      NS      pns.dtag.de.
> 102.228.217.in-addr.arpa. 86024 IN      NS      
> techfac.techfak.uni-bielefeld.de.
> 
> ;; ADDITIONAL SECTION:
> dns01.btx.dtag.de.      3823    IN      A       194.25.2.130
> dns04.btx.dtag.de.      3823    IN      A       194.25.2.133
> dns51.t-ipnet.de.       3823    IN      A       217.5.100.186
> pns.dtag.de.            2213    IN      A       194.25.0.125
> techfac.techfak.uni-bielefeld.de. 462 IN A      129.70.132.100
> 
> ;; Query time: 90 msec
> ;; SERVER: 194.247.47.47#53(194.247.47.47)
> ;; WHEN: Thu May  8 10:18:07 2003
> ;; MSG SIZE  rcvd: 306
> 
> 
> 
> 
> What this probably means is that someone else is using someones 
> connection at home or in the office without the owner knowing about 
> it.  Making a claim that a certain company or individual is doing it 
> is wrong because it's frequently the case that this is not so.  You 
> normally find that the persons computer is being used from somewhere 
> like the U.S or Japan or Taiwan by a remote operator.
> 

Just out of curiosity, how did you come to that conclusion?

(I don't fully understand the methods behind the hijacking / spoofing
bit, so any info would be useful).

TIA,

-- 
David
___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.