Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Telnet

  1. #1
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668

    Telnet

    Hi all,
    i was looking through my firewall log the other day when i noticed a sub7 had been blocked. This would not normally have given me much to worry about, what with AOL constantly pinging me etc, but the ip address of the remote service looked a bit suspect. So i did a bit of research, whois doesn't show up anything nor the ip locator here at AO. On the off chance i tried to telnet into the ip address and low and behold i got a prompt for a password.

    I was hoping someone here might be able to help me track down the location of this attack.

    The ip address is 63.238.172.48

    Any help would be much apreciated.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Whois info just shows this:

    Qwest Communications NET-QWEST-BLKS2 (NET-63-236-0-0-1)
    63.236.0.0 - 63.239.255.255
    Conectiv Communications Inc. QWEST-63-238-160 (NET-63-238-160-0-1)
    63.238.160.0 - 63.238.191.255

    # ARIN WHOIS database, last updated 2003-06-10 21:05
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    Which means the ip belongs to Conectiv Communications Inc.

    Google on Conective Communications give us this:

    Conectiv Communications offered voice and data services to residential and business customers in Delaware, Maryland, New Jersey, and Pennsylvania. Cavalier Telephone focuses on similar customers in the same region, offering local, long-distance, internet dial-up, and high-speed DSL service across the mid-Atlantic region.
    http://www.conectiv.com/civ/news/pre...ses/011115.cfm

    Telnetting to that address just prompts for a password. This usually means some sort of router.

    So my best guess? It's a DSL (l)user that's using a hackers (read: scriptkiddie) tool.
    If you're properly firewalled just ignore it. It will go away eventually.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Banned
    Join Date
    Apr 2003
    Posts
    3,839
    you also can download NeoTracer and trace IPs yourself ...

    these are the results i got ...

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Thanks Guy's,
    I did try tracert but it just timed out. I think i'll have to get Neotrace iv'e heard its a pretty good tool. Thanks for the info anyway.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by jinxy
    Thanks Guy's,
    I did try tracert but it just timed out. I think i'll have to get Neotrace iv'e heard its a pretty good tool. Thanks for the info anyway.
    Both work on the same principle. Neotrace just has a nicer interface and is able to lookup those AS numbers to get a location.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Junior Member
    Join Date
    Jun 2003
    Posts
    8
    C:\>tracert 63.238.172.48

    Tracing route to de-dsl-63-238-172-48-static.dsl.cavtel.net [63.238.172.48]
    over a maximum of 30 hops:

    11 311 ms 500 ms 311 ms above-gw.cgcil.ip.att.net [192.205.32.197]
    12 330 ms 240 ms 231 ms 12.123.3.57
    13 521 ms 250 ms 240 ms gbr1-p20.phlpa.ip.att.net [12.122.2.18]
    14 481 ms 501 ms 230 ms gbr1-p10.phlpa.ip.att.net [12.122.12.98]
    15 230 ms 240 ms 231 ms gar1-p360.phlpa.ip.att.net [12.123.137.21]
    16 240 ms 240 ms 241 ms 12.125.176.170
    17 230 ms 271 ms 240 ms delmar-209-137-166-66-dsl.cavtel.net [209.137.166.66]
    18 351 ms 240 ms 240 ms 63.238.168.5
    19 280 ms 301 ms 360 ms de-dsl-63-238-172-48-static.dsl.cavtel.net [63.238.172.48]

    Trace complete.


    Hey i got the root traced can anyone explain this stuff to me
    I am different but not indifferent
    http://www.AntiOnline.com/sig.php?imageid=382

  7. #7
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    hey dude, nice nick

    I agree, it's propably a kid messing with some kiddy toys..

    as long as you don't have a sub7 server running, it's harmless !!
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  8. #8
    Junior Member
    Join Date
    Jun 2003
    Posts
    8
    how do u know when is a sub7 server running
    I am different but not indifferent
    http://www.AntiOnline.com/sig.php?imageid=382

  9. #9
    Senior Member
    Join Date
    Nov 2002
    Posts
    382
    It could be a script kiddie... or a zombie.
    The guy behind the attack may b a dummy ... or a malicious hacker.

    b aware that ur firewall logs only what it is configured to. It won't tells u what came through.
    I'll advice u to
    - create a specific frw rule for the ip addy to stop any further attempt from that comp or setup a sniffer or NIDS to catch any flows from the ipaddy
    - & check ur file system integrity

    It's probably sm1 playing with a freeware but who knows!!!
    [shadow] SHARING KNOWLEDGE[/shadow]

  10. #10
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Originally posted here by neonstow
    how do u know when is a sub7 server running
    Most AV should warn you or even attempt to automaticly remove sub7. Most servers like sub7 servers will be runing at startup. You can manually check for malware by looking for weird files, ports, regkeys, & (ect). But with a nice and up-to-date AV & trojan removal it'll do half the work for you and at a much quicker rate of speed.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •