Suspicious Diald Attempts to nsmialogin.passport.com:443 Etc

[Mark Hammer]

Every time I boot into linux, diald automatically dials up.  I
tracked this down to the following series of connection attempts:

  65.54.131.249:443
equivalent to https://msnialogin.passport.com

  207.46.106.191:1863
name = baym-cs191.msgr.hotmail.com

  4.65.209.127:1901
  4.65.209.127:1975
name = lsanca1-ar22-4-65-209-127.lsanca1.dsl-verizon.net

  207.68.171.238:80
equivalent to http://msimg.com

This has me very concerned.  I recently did a dist-upgrade to the
testing distribution, and was expecting that the diald dialup was
being triggered by an exim cronjob or something.  But this is not
e-mail, and it looks very suspicious to me.

When I investigate the first link in a web browser, I am taken to
https://login.passport.net/uilogin.srf page, probably through
forwarding.  That is a .NET Passport Sign-in page.  I am not
seeing any automatic connections there through dctrl however, just
through my mozilla firebird when I investigate.

The next three connections (to two hosts) that I see by watching
dctrl are even more disturbing, since the names that are resolved
look like other dialup connections, but not through my ISP.  I think
that port 1863 might be used by MSN messenger, judging from google
searches.  Ports 1901 and 1975 don't turn up anything that I
recognize.  I do not have squid installed.

The last conection might have happened after I started investigating
things with a web browser.  I am not sure.  I didn't go there, but
it might have been an ad or something.  But the msimg.com domain
might have something to do with micro$loth something or other.

I cannot seem to get lsof to tell me anything.  Any ideas?

Thanks,
David Crane


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Annoying Port 135 Connection Attempts

[Mark Hammer]

I am getting many connection attempts to my port 135 from outside.  
They appear to be coming from other dialin connections to my ISP.  
This is the port that micro$loth left open to attack, which the 
MSblaster worm has been using.

I know that my linux box isn't vulnerable, and that I've got 
nothing listening to the port.  But each of these connection 
attempts is triggering my diald to stay connected, so it is major 
annoying.

Is there an obvious way to stop these attempts?  Or is there a way 
to modify my /etc/diald/diald.defaults filters?  Here is what I 
have done, which is admittedly simplistic:

# I commented out the standard.filter include statement above,
# since it was setting timeouts of 30 seconds for DNS lookups
# (udp.domain), and 120 seconds for HTTP (tcp.www).  This is too
# short for web browsing, so I blanket changed everything to:
# For any UDP, give 5 more minutes up time.  For TCP, 20 minutes.
accept udp 300 any
accept tcp 1200 any

Thanks,
David


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]