unknown user

Printable View

May 9th, 2002, 08:55 PM
britfanjr

unknown user

hey, i couldn't find an appropriate answer on the web so i thought i would ask ya'll. a few days ago i did a finger on my solaris 7 box and found something that puzzled me

jobrien ???
cdemoss Craig R. Demoss *pts/6 3:13 Mon 16:40 12.105.102.231

my question is do any of ya'll know why user jobrien has the question marks for real name and nothing for pts, date, or location. also jobrien is not a valid user name. have i been hacked or can this sort of thing happen? i checked my syslogs and messages files to see if there was any unusual activity, and there wasn't. any help would be appreciated

thanks,
britfanjr
May 9th, 2002, 09:00 PM
cybermagellan

I don't know who that would be but maybe run a whois on them and see what the IP comes up as, I mess with Windows so I really would know that log means...sorry
May 9th, 2002, 09:04 PM
cybermagellan

AT&T ITS (NET-ATT) ATT 12.0.0.0 - 12.255.255.255
MORGAN KEEGAN COMPANY (NETBLK-MORGAN-KEE247-102) MORGAN-KEE247-102
12.105.102.0 - 12.105.102.255

That is who it comes back as so if you were hacked you may want to call these people....for more info goto...

http://www.arin.net
May 9th, 2002, 09:34 PM
britfanjr

thanks cybermagellan i will start there
May 9th, 2002, 09:44 PM
cybermagellan

Remember that I said I mess with Windows not Linux so I don't know if you have been hacked I am just saying that is a good site and that is who it is.....may want to ask some linux people before you go accusing....
May 9th, 2002, 09:50 PM
britfanjr

yeah, i'll wait until i know for certain before i accuse anyone. thanks again for the help
May 9th, 2002, 10:02 PM
cybermagellan

NP, anything to help
May 9th, 2002, 10:07 PM
Airhead

Don't forget that with Klez, not only is the "From" address spoofed, it typically comes from an infected machine where the owner is unaware of the infection. Not only that, but we had a lengthy discussion a week or so ago about whether or not other aspects of the header had been mangled enough by the virus that one may or may not be able to tell the source of the infected machine. You can read the discussion here
May 9th, 2002, 10:22 PM
bombayofpigs

d00d its freakin ATT that owns the netblock.
May 9th, 2002, 10:26 PM
bombayofpigs

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Justin Cianci>ping www.morgankeegan.com

Pinging www.morgankeegan.com [12.104.221.150] with 32 bytes of data:

Reply from 12.104.221.150: bytes=32 time=95ms TTL=237
Reply from 12.104.221.150: bytes=32 time=101ms TTL=237
Reply from 12.104.221.150: bytes=32 time=94ms TTL=237
Reply from 12.104.221.150: bytes=32 time=92ms TTL=237

Ping statistics for 12.104.221.150:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 92ms, Maximum = 101ms, Average = 95ms

C:\Documents and Settings\Justin Cianci>cd..

C:\Documents and Settings>cd..

C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>
C:\>ping www.morgankeegan.com

Pinging www.morgankeegan.com [12.104.221.150] with 32 bytes of data:

Reply from 12.104.221.150: bytes=32 time=91ms TTL=237
Reply from 12.104.221.150: bytes=32 time=87ms TTL=237
Reply from 12.104.221.150: bytes=32 time=87ms TTL=237
Reply from 12.104.221.150: bytes=32 time=108ms TTL=237

Ping statistics for 12.104.221.150:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 87ms, Maximum = 108ms, Average = 93ms

C:\>