Security Basics mailing list archives
Re: X11 Outgoing
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Nov 2003 09:18:35 +0100
On 2003-10-31 Brad Arlt wrote:
Your example alert looks like a connection to pD4B9F42A.dip.t-dialin.net [212.185.244.42] from whatever you local ip is/was. Many of the hacked machines I have seen over the last few years are in the dip.t-dialin.net. That said, I am sure they are a ISP with real clients doing purhaps legitimate work.
Just a sidenote: dip.t-dialin.net is used by T-Online (ISP subsidiary of the german T-Com) for dialup-users.
If you can see no reason why your machine(s) should connect to pD4B9F42A.dip.t-dialin.net[212.185.244.42] then you might have a problem. Look into it further. It either should be stopped, or is normal network traffic that you should document and alter a rule or two so you don't get this alert without good cause. If you feel lazy, just block that IP at your firewall and wait for a phone call. This isn't the most customer friendly approach, but requires almost no effort on your part.
I doubt this will work because IP addresses resolving to something.dip.t-dialin.net are dynamically assigned when T-Online customers connect to the internet. The suspected attacker will most likely disconnect, reconnect and have another IP. You would have to block the whole T-Online dialin address space for this measure to be effective.
The downside is if the machine is hacked or hackable you have done nothing to stop that.
This should be fixed in the first place (provided this actually *is* an attack). Everything else will be dealing with symptoms rather than the actual disease. Regards Ansgar Wiechers --------------------------------------------------------------------------- Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Current thread:
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- RE: X11 Outgoing David Gillett (Nov 03)
- Re: X11 Outgoing Ansgar -59cobalt- Wiechers (Nov 04)
- Re: X11 Outgoing Brad Arlt (Nov 03)
- Re: X11 Outgoing Dr Aldo Medina (Nov 03)