Thanks for that piece of info, as I couldn't seem to find a contact
number for that network...
> -----Original Message-----
> From: Fred Herman [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, April 07, 2000 3:41 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Hacked?
>
> "Burke, Thomas G." wrote:
> >
> > OK, here's the deal...
> >
> > Big, and in sections (separated by tildes (~))... As an aside, I have
> just
> > added 165.113.216.6 to my hosts.deny file...
> >
> > Sections include tcpdump, log files, and a traceroute... I cannot
> nslookup
> > what appears to be
> > the offending host (165.113.216.6) (Nor can a whois him)... I can,
> however
> > ping, telnet, ftp to
> > this box (although I don't know the passwords)... It doesn't seem to
> have a
> > name (interesting)...
> >
> > So, this said, it would appear to me that this box is attached to a
> network
> > where the admin doesn't
> > know it exists.
> >
> > What I appear to be seeing is a series of messages of some sort from
> this
> > machine to mine (on different, successive ports)... My machine seems to
> > talk back to this machine as well (on different, successive ports).
> Shortly
> > after the talking occurs, my machine starts trying to blast a gazillion
> > packets out to different machines - it looks as if I am being used as
> part
> > of a DOS attack of some sort. Fortunately, my firewall seems to be
> blocking
> > me from sending this crap out to the world.
> >
> > There seems to be some correlation between some of the talking between
> mine
> > & the mystery machine to what the firewall is blocking, but I can't tell
> > exactly what. It seems almost as if there is a daemon running on my
> machine
> > for this, but I can find no evidence of it... I have looked through my
> rc.d
> > directories, and none of them seem to be modified...
> >
> > I have gone through my box, and I see no evidence of a successful
> break-in,
> > except for the fact that my machine is talking to some other machine.
> So,
> > here are the questions:
> >
> > 1) Have I been broken into, and how.
> > 2) If I have been compromised, how can I find the daemons that may be
> > running to do this talking?
> > 3) What can I do to keep this from happening again?
> >
> > In a nutshell... What the heck is going on here?!
> The ip seems to be in the address block for crl.com. Their web site
> gives an 800 number:
>
> 800-727-0793
>
> Give them a buzz and ask to talk to network security about a possible
> intrusion.
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
