Hi Yah, Thanks for replies...
Did some more searching and the name/ID shown from CompuServe...Si Becker <[EMAIL PROTECTED]> it actually shows up here http://www.sockets.com/services.htm which lists all standard ports used :- smpte 420/tcp SMPTE smpte 420/udp SMPTE # Si Becker <[EMAIL PROTECTED]> This is what I'm seeing on my logcheck reports... Portsentry had an alert to ns.xxxxxxxxxxxxxxx.com from the following IP address and port: 211.174.38.152 22 < ------ NOTE This IP changes all the time but port number stays the same Service: ssh 22/tcp SSH Remote Login Protocol ssh 22/udp SSH Remote Login Protocol # Si Becker <[EMAIL PROTECTED]> <------- This is constant Everytime I have one of these notifications the IP owners are notified along with a copy sent to compuserve, but with over 20 of these notifications being sent out I haven't heard back from either compuserve or any of the IP owners sys admins or ISP's - with doing the searching above I now think that the signature may be bogus - don't know. Anyone else seen anything similiar before???? If I do add the IP's to say host.deny I know they may be spoofed so is there any script available for clearing the host.deny after a certain time period. Regards from Auckland Chae _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
