I tried resolving the address for 63.98.105.3. Not only could I not do a trace route, there was no ping response. Nothing either exists for that IP or he has a firewall eating (not dropping) ICMP packets. I tried doing a trace route on *.2, *.4 and DNS lookups for several other various IPs on that subnet. I could ping others, I just wouldn't do a dns lookup on them. This individual could just have a good firewall. FYI, to the best of my knowledge, Alter.Net is a Tier 1 provider in which 90% of the second level ISPs use in my area. I am in the Southeast US, so I don't know if Alter.Net is dedicated to this one area or more. On another note, if you have KICQ or another program open used to communicate outside of your system, it could just be that domain sending pings to see if you exist. If he's only trying to hit your SMTP server, I'd just block 63.98.*.* and be done with it. Normally I like to try to resolve IP addresses and make contact with the offending domain, I'm just like the other few who replied, unable to tell where it is without alot more research. Take Care! > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Pj > Sent: Thursday, November 30, 2000 1:47 AM > To: [EMAIL PROTECTED] > Subject: Re: [expert] Multiple attempted unauthorized accesses > > > I have a personal firewall set up on my Winbloze box. As soon as I made > it active I noticed I was being scanned constantly from a machine with > the same DNS. After four hours, I used ARIN to find the DNS and Netblock > owners and sent appropriate messages. I haven't been bothered over much > since. The next day I checked my system for open ports at www.grc.com to > verify I was running in a secure "stealth" mode. > > The good news is that this free firewall fouls scanner attempts and > allows me to secure the most common open ports. The bad news is that > ports in the much higher numbers remain open, and is the reason I am > building a box specifically for a Linux firewall. > > I previously contacted the folks at ALTER net and sent logs. They were > most helpful as they don't like hackers and spammers either. > > Pj > > > > > bill wrote: > > > > On Wed, 29 Nov 2000, gene wrote: > > > > > There is an ip number that started showing up in my postfix logs > > > as trying to access my smtp server (and access was apparently > > > denied each time). I assumed that someone was trying to use > > > my machine as a relay. To make sure that they can't get through, > > > I blocked the ip address using ipchains. In one day, I now > > > see over 600 failed attempts to access my computer. Should I > > > just ignore this now that ipchains is blocking them, or is this > > > something that should worry me. > > > > > > More details: > > > ipchains message (my ip # x-ed out to protect the innocent): > > > Nov 28 23:59:07 duck kernel: Packet log: input DENY eth1 PROTO=1 > > > 63.98.105.3:8 208.xxx.xxx.xx1:0 L=60 S=0x00 I=6793 F=0x0000 T=114 (#1) > > > > > > nslookup for 63.98.105.3 gives nothing. > > > traceroute ends at readersdigest-gw.customer.alter.net > (157.130.210.42) > > > > > > > You may want to ask Civileme at mandrakeuser forum if you dont get a > > response from this list concerning how to get it touch with the culprits > > ISP.He is quite knowledgable about those kinds of issues, an=mong other > > things. The RED Hat List used to have all kinds of hacked notices and > > several of their authorities were very helpful as well. > > > > Perhaps the Mandrake Folks could have a place to input problems like > > some of us have. I know there is a Mandrake Security Group or List out > > there but I think it mostly deals with things like that wuftpd flaw. > > Why they still use it as a default ftp server on their CD's I am > > somewhat puzzled !? > > > > Wish I actually had a concrete answer > > > > William Bouterse > > Talkeetna > > > > --------------------------------------------------------------- > > Keep in touch with http://mandrakeforum.com: > > Subscribe the "[EMAIL PROTECTED]" mailing list. > >
Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
