Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 9 Jul 2000 13:53:16 -0400
From:      "Troy Settle" <troy@picus.com>
To:        <dave@allunix.com>, <freebsd-isp@freebsd.org>
Subject:   RE: port 113(hack attack?)
Message-ID:  <FCEELIAEIIECDGKKJLMIEEENCAAA.troy@picus.com>
In-Reply-To: <200007081646540580.0158100A@web4.allunix.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format.

------=_NextPart_000_0004_01BFE9AD.08280E00
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit


Install identd.  /usr/ports/security/pidentd

It will make some things work a bit faster.  IIRC, even sendmail and other
MTAs will try an ident request these days.
--
  Troy Settle
  Network Analyst
  Picus Communications
  540.633.6327


  -----Original Message-----
  From: owner-freebsd-isp@FreeBSD.ORG
[mailto:owner-freebsd-isp@FreeBSD.ORG]On Behalf Of David W. DeTinne
  Sent: Saturday, July 08, 2000 7:47 PM
  To: freebsd-isp@freebsd.org
  Subject: port 113(hack attack?)


  I have log_in_vain set in my rc.conf file. Ever since doing this I have
witnessed
  all sorts of connection attempts to port 113, here are some examples;
  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2132

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2133

  Connection attempt to TCP 24.11.229.88:113 from 130.236.254.50:61744

  Connection attempt to TCP 24.11.229.88:113 from 130.236.254.50:61746

  Connection attempt to TCP 24.11.229.88:113 from 131.220.43.1:3056

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2211

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2228

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2229

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2234

  Connection attempt to TCP 24.11.229.88:113 from 216.190.128.200:2250

  Connection attempt to TCP 24.11.229.88:113 from 209.161.0.33:2966

  Connection attempt to TCP 24.11.229.88:113 from 203.178.141.212:4723

  The /etc/services file states that port 113 is used for a Authentication
Service?

  My question is, what is happening here, is someone trying to access my
system or is this normal?

  Thank You,

  David DeTinne






------=_NextPart_000_0004_01BFE9AD.08280E00
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Dus-ascii" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR></HEAD>
<BODY bgColor=3D#ffffff style=3D"FONT-FAMILY: Georgia" text=3D#000000>
<DIV>&nbsp;</DIV>
<DIV><FONT size=3D2><SPAN class=3D025275117-09072000>Install =
identd.&nbsp;=20
/usr/ports/security/pidentd</SPAN></FONT></DIV>
<DIV><FONT size=3D2><SPAN =
class=3D025275117-09072000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT size=3D2><SPAN class=3D025275117-09072000>It will make some =
things work a=20
bit faster.&nbsp; IIRC, even sendmail and other MTAs will try an ident =
request=20
these days.</SPAN></FONT></DIV>
<P><FONT size=3D2>--<BR>&nbsp; Troy Settle<BR>&nbsp; Network =
Analyst<BR>&nbsp;=20
Picus Communications<BR>&nbsp; 540.633.6327<BR></FONT></P>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #000000 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B>=20
  owner-freebsd-isp@FreeBSD.ORG =
[mailto:owner-freebsd-isp@FreeBSD.ORG]<B>On=20
  Behalf Of </B>David W. DeTinne<BR><B>Sent:</B> Saturday, July 08, 2000 =
7:47=20
  PM<BR><B>To:</B> freebsd-isp@freebsd.org<BR><B>Subject:</B> port =
113(hack=20
  attack?)<BR><BR></DIV></FONT>
  <DIV>I have log_in_vain set in my rc.conf file. Ever since doing this =
I have=20
  witnessed</DIV>
  <DIV>all sorts of connection attempts to port 113, here are some=20
  examples;</DIV>
  <DIV><FONT size=3D2>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2132</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2133</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
130.236.254.50:61744</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
130.236.254.50:61746</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
131.220.43.1:3056</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2211</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2228</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2229</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2234</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
216.190.128.200:2250</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
209.161.0.33:2966</P>
  <P>Connection attempt to TCP 24.11.229.88:113 from =
203.178.141.212:4723</P>
  <P>The /etc/services file states that port 113 is used for a =
Authentication=20
  Service?</P>
  <P>My question is, what is happening here, is someone trying to access =
my=20
  system or is this normal? </P>
  <P>Thank You,</P>
  <P>David DeTinne</P>
  <P>&nbsp;</P>
  <P>&nbsp;</P></FONT></DIV></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_0004_01BFE9AD.08280E00--



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?FCEELIAEIIECDGKKJLMIEEENCAAA.troy>