Below is some information that may be of interest. One thing you should note is the port number being used on the IP numbers.
I don't know the format of the log entry, so I'm guessing that an entry has a source and destination IP. I would think from that with the IP for dontuthink.com/serensoft.com that you shouldn't be seeing those packets. But it looks like you're on a cable and only the ISP knows what IPs are out there on that particular cable. ----------------- start of probe -------------- Domain Name: DONTUTHINK.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS.SERENSOFT.COM Name Server: NS1.ZONEEDIT.COM Name Server: NS5.ZONEEDIT.COM Updated Date: 05-nov-2001 Getting host by address Name = (OSPF-ALL.MCAST.NET) Addresses: 224.0.0.5 Domain Name: MCAST.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS.ISI.EDU Name Server: VENERA.ISI.EDU Name Server: NS.SGI.COM Name Server: DNSAUTH1.SYS.GTEI.NET Name Server: DNSAUTH2.SYS.GTEI.NET Name Server: DNSAUTH3.SYS.GTEI.NET Updated Date: 05-nov-2001 Getting host by address Name = (cable-z-221.sigecom.net) Addresses: 63.121.237.221 Domain Name: SIGECOM.NET Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: DNS1.SIGECOM.COM Name Server: DNS2.SIGECOM.COM Updated Date: 05-dec-2001 Getting host by address Name = (cable-u-177.sigecom.net) Addresses: 63.110.253.177 Getting host by address Name = (cable-gg-241.sigecom.net) Addresses: 65.195.103.241 Getting host by address Name = (cable-bb-255.sigecom.net) Addresses: 65.195.98.249 getting host by name Name = (serensoft.com) Addresses: 208.33.90.85 getting host by name Name = (dontuthink.com) Addresses: 208.33.90.85 --------------------- end of probe ----------------------- -- Sincerely, David Smead http://www.amplepower.com. On Sat, 20 Apr 2002, will trillich wrote: > On Fri, Apr 19, 2002 at 11:29:51AM -0700, Vineet Kumar wrote: > > * dman ([EMAIL PROTECTED]) [020419 09:10]: > > Well, there may be other issues on the table here. Will's original > > question was "can I tell if I've been hacked?" His exim setup could be > > sound, but it's definitely feasible that a rootkit could install a mail > > relay listening on another port and sending out a ton of spam > > unbeknownst to ps and top. Are your hub lights blinking, Will? > > yep. lots. > > when i first set up ipCop (ipcop.org) i got about 18mb of > logfile in one afternoon from the default firewall logging rules > (via ipchains on potato): > > Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 > 63.64.14.221:65535 224.0.0.5:65535 L=64 S=0x00 I=21723 F=0x0000 T=1 (#8) > Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 > 63.110.253.177:65535 224.0.0.5:65535 L=64 S=0x00 I=21731 F=0x0000 T= 1 (#8) > Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 > 63.121.237.41:65535 224.0.0.5:65535 L=64 S=0x00 I=21743 F=0x0000 T=1 (#8) > Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 > 65.195.103.241:65535 224.0.0.5:65535 L=64 S=0x00 I=21747 F=0x0000 T= 1 (#8) > Apr 2 12:18:41 troll kernel: Packet log: input - eth1 PROTO=89 > 65.195.98.249:65535 224.0.0.5:65535 L=64 S=0x00 I=21753 F=0x0000 T=1 (#8) > > hundreds upon thousands of those, from the moment the firewall > (ipcop v0.1.1) came up. to keep from sucking up all available > space, i deleted the final (reject-and-log) rule of the incoming > ruleset... > > is all this activity from a goofy setup by my isp? is it > something i'm doing? surely this much probing must mean > something... > > > If that rootkit was installed by somebody exploiting a samba which > > should have been blocked from The Outside, this could potentially have > > been prevented if a packet filter was installed to allow incoming > > connections only to tcp/25. > > no samba -- never had it, never will. (considered it at home, but > figured out a better way.) > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
