Just to reiterate, I'd simply dig or nslookup the ip addresses (or use one of the many nslookup webpages) and see if they have some contact info. Really all you care about at this point is passing off some information to the admin that it looks like he has some nefarious activity on his network. You might also want to give him your ip address (and maybe mac) so he can sift your info out of any forensics he may do. Anything else is just kibitzing.
Kevin Quoting Mike Owen <[EMAIL PROTECTED]>: > > Just to clarify some of the confusion: > > I'm looking at logs on *my* email server, and network packet captures > from *my* network. My email server is sending out ident requests, to > port 113 on the affected destination servers. The replies received, > instead of being in the standard format as dictated by RFC 1413, are > coming back with the "220 ..:: lit-Crw Rulez ::..." and "530 Not > logged in..." messages. These messages are coming from the destination > servers. As an earlier poster stated, they fit the format of an ftp > transaction, aka RFC 959. > > My server is (to my knowledge) acting fine. Most destination servers > return a correctly formatted ident reply when my server contacts them. > I'm only receiving the "220 ..:: lit-Crw Rulez ::..." messages from > 6 (six) distinct IPs. > > The comment about the backdoor was idle speculation upon my part about > what these messages signified. After reviewing RFC 959 (ftp), I'm > quite certain they are in fact coming from an ftp daemon listening on > port 113 (ident). > > I don't really want to post IPs here to a public mailing list, but > they appear to be scattered through the US/Europe. > > I hope this clears things up. > > Mike >
