-
June 11th, 2003, 09:25 AM
#1
Telnet
Hi all,
i was looking through my firewall log the other day when i noticed a sub7 had been blocked. This would not normally have given me much to worry about, what with AOL constantly pinging me etc, but the ip address of the remote service looked a bit suspect. So i did a bit of research, whois doesn't show up anything nor the ip locator here at AO. On the off chance i tried to telnet into the ip address and low and behold i got a prompt for a password.
I was hoping someone here might be able to help me track down the location of this attack.
The ip address is 63.238.172.48
Any help would be much apreciated.
-
June 11th, 2003, 09:46 AM
#2
Whois info just shows this:
Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
63.236.0.0 - 63.239.255.255
Conectiv Communications Inc. QWEST-63-238-160 (NET-63-238-160-0-1)
63.238.160.0 - 63.238.191.255
# ARIN WHOIS database, last updated 2003-06-10 21:05
# Enter ? for additional hints on searching ARIN's WHOIS database.
Which means the ip belongs to Conectiv Communications Inc.
Google on Conective Communications give us this:
Conectiv Communications offered voice and data services to residential and business customers in Delaware, Maryland, New Jersey, and Pennsylvania. Cavalier Telephone focuses on similar customers in the same region, offering local, long-distance, internet dial-up, and high-speed DSL service across the mid-Atlantic region.
http://www.conectiv.com/civ/news/pre...ses/011115.cfm
Telnetting to that address just prompts for a password. This usually means some sort of router.
So my best guess? It's a DSL (l)user that's using a hackers (read: scriptkiddie) tool.
If you're properly firewalled just ignore it. It will go away eventually.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 11th, 2003, 09:50 AM
#3
you also can download NeoTracer and trace IPs yourself ...
these are the results i got ...
-
June 11th, 2003, 10:17 AM
#4
Thanks Guy's,
I did try tracert but it just timed out. I think i'll have to get Neotrace iv'e heard its a pretty good tool. Thanks for the info anyway.
-
June 11th, 2003, 12:20 PM
#5
Originally posted here by jinxy
Thanks Guy's,
I did try tracert but it just timed out. I think i'll have to get Neotrace iv'e heard its a pretty good tool. Thanks for the info anyway.
Both work on the same principle. Neotrace just has a nicer interface and is able to lookup those AS numbers to get a location.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
June 11th, 2003, 01:07 PM
#6
Junior Member
C:\>tracert 63.238.172.48
Tracing route to de-dsl-63-238-172-48-static.dsl.cavtel.net [63.238.172.48]
over a maximum of 30 hops:
11 311 ms 500 ms 311 ms above-gw.cgcil.ip.att.net [192.205.32.197]
12 330 ms 240 ms 231 ms 12.123.3.57
13 521 ms 250 ms 240 ms gbr1-p20.phlpa.ip.att.net [12.122.2.18]
14 481 ms 501 ms 230 ms gbr1-p10.phlpa.ip.att.net [12.122.12.98]
15 230 ms 240 ms 231 ms gar1-p360.phlpa.ip.att.net [12.123.137.21]
16 240 ms 240 ms 241 ms 12.125.176.170
17 230 ms 271 ms 240 ms delmar-209-137-166-66-dsl.cavtel.net [209.137.166.66]
18 351 ms 240 ms 240 ms 63.238.168.5
19 280 ms 301 ms 360 ms de-dsl-63-238-172-48-static.dsl.cavtel.net [63.238.172.48]
Trace complete.
Hey i got the root traced can anyone explain this stuff to me
-
June 11th, 2003, 01:20 PM
#7
hey dude, nice nick
I agree, it's propably a kid messing with some kiddy toys..
as long as you don't have a sub7 server running, it's harmless !!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
June 11th, 2003, 01:45 PM
#8
Junior Member
how do u know when is a sub7 server running
-
June 11th, 2003, 01:47 PM
#9
It could be a script kiddie... or a zombie.
The guy behind the attack may b a dummy ... or a malicious hacker.
b aware that ur firewall logs only what it is configured to. It won't tells u what came through.
I'll advice u to
- create a specific frw rule for the ip addy to stop any further attempt from that comp or setup a sniffer or NIDS to catch any flows from the ipaddy
- & check ur file system integrity
It's probably sm1 playing with a freeware but who knows!!!
[shadow] SHARING KNOWLEDGE[/shadow]
-
June 11th, 2003, 07:22 PM
#10
Originally posted here by neonstow
how do u know when is a sub7 server running
Most AV should warn you or even attempt to automaticly remove sub7. Most servers like sub7 servers will be runing at startup. You can manually check for malware by looking for weird files, ports, regkeys, & (ect). But with a nice and up-to-date AV & trojan removal it'll do half the work for you and at a much quicker rate of speed.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|