> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, June 17, 2000 1:34 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: unknown ports
>
>
> Generally speaking...this looks safe, although looks can be deceiving.
> These connections are all outbound connections. Something is
> sending mail, or at least attempting to look like it is. A
> quick look at the service your computer is connecting to reveals this:
>
> telnet smtp2.oneintranet.com.ph 1069
> Connecting To smtp2.oneintranet.com.ph...Could not open a
> connection to host on port 1069
> : Connect failed
>
I'm not worried about this. It's our internal dns server domain and mail.
That's why I named it as oneintranet :-)
> telnet smtp2.oneintranet.com.ph 1115
> Connecting To smtp2.oneintranet.com.ph...Could not open a
> connection to host on port 1115
> : Connect failed
>
> Using a browser to connect to 216.33.199.96 on port 80 gives this:
>
> 216.33.199.96 - /
>
> --------------------------------------------------------------
> ------------------
>
> 6/15/00 6:07 PM <dir> Ads
>
> looks like an ad server of some kind.
> Finally, a quick connection to 216.35.217.189 on port 17027 reveals:
>
> telnet 216.35.217.189:17027
> Connecting To 216.35.217.189:17027...Could not open a
> connection to host: Connect failed
>
> This leads me to believe that your computer is getting what
> it's asking for.
> And it is allowed access to these host/port combinations,
> mine isn't. Here is the registration info on the IP addresses:
>
> Exodus Commnications Inc. (NETBLK-ECI-7)
> 1605 Wyatt Dr. Santa Clara, CA
> 95054US
> US
>
> Netname: ECI-7
> Netblock: 216.32.0.0 - 216.35.255.255
> Maintainer: ECI
I'm interested about this. How were you able to get owner of the netblock?
>
> Coordinator:
> Center, Network Control (NOC44-ARIN) [EMAIL PROTECTED]
> 1.888.2.Exodus (FAX) 1.888.2.Exodus
>
> Domain System inverse mapping provided by:
>
> NS.EXODUS.NET 206.79.230.10
> NS2.EXODUS.NET 207.82.198.150
>
> * Rwhois reassignment information for this block is available at:
> * rwhois.exodus.net 4321
>
> ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
>
> Record last updated on 09-Mar-2000.
> Database last updated on 16-Jun-2000 06:49:10 EDT.
>
>
>
> Is this your ISP???
Totally not.
>
>
> smtp2.oneintranet.com.ph
> I dunno about this one...I can't resolve that hostname to an
> IP. That is usually a bad sign for a home user. If you can
> resolve it but no one else can you have something strange
> going on there...check for a file named "hosts" using the
> search function. If there is one open it in notepad and see
> if there are any entries referring to that hostname.
>
> I don't want to give you cause for alarm. This is probably
> something your ISP is doing. I'd check with them just to be
> sure...sometimes looks can be deceiving. Better safe than sorry.
>
> Be sure to check us out at http://infosec.20m.com
> _________________________________________________
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
