Security Incidents mailing list archives

Re: ingreslock message

From: slayer67 () APK NET (Dino Amato)
Date: Tue, 7 Mar 2000 12:42:01 -0500


THanks for all who responded to my question.
I check the box and there was no break-in or comprimise, like a few others
said - someone was looking around for a hole.
My ined.conf file has been totally remarked out since day also and nothing
in tmp.
Thakns for telling me about this particular attack.
Dino Amato

On Tue, 7 Mar 2000, Graeme Fowler wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dino

On 06-Mar-2000 Dino Amato wrote:

I logged this:
Mar  5 15:58:23 monitor tcplogd: ingreslock connection attempt from
unknown () sleipnir1 cs ucl ac uk
what does the ingreslock mean and what was this person trying to do?


Firstly: the ingreslock port was well-used by the shell installed by a
number of RPC compromises on Solaris (amongst others); as I know only
too well :(
I guess the culprit was scanning for previously compromised machines.

Secondly: if you have seen this on other machines, or more frequently
than the single line above, please report it to:

cert () cert ja net

They'll deal with it as it's source was a UK university.

- --
Graeme Fowler
Network Officer, Infrastructure & Networks Group
Loughborough University Computing Services
PGP Public Key: http://xenomorph.lboro.ac.uk/



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOMUO4ukW/hjR2nSsEQKFmwCaAl47OPjInQbAs0+5sJa4cYo6k+wAoP2J
lHFFPw0TToSC2CgekyhYVZNt
=8JCg
-----END PGP SIGNATURE-----

Current thread:

Re: @home: Is *anyone* really home there???, (continued)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Feb 29)
- Re: @home: Is *anyone* really home there??? Rob Quinn (Mar 01)
- Re: @home: Is *anyone* really home there??? Jon Burdge (Mar 02)
  - Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
    - Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
    - scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
    - Re: @home: Is *anyone* really home there??? Ville (Mar 03)
    - ingreslock message Dino Amato (Mar 05)
    - Re: ingreslock message Graeme Fowler (Mar 07)
    - Re: ingreslock message Dino Amato (Mar 07)
    - Re: ingreslock message Robert Graham (Mar 07)
    - firewall abusing Przemyslaw Frasunek (Mar 07)
    - Re: ingreslock message H D Moore (Mar 07)
    - Re: ingreslock message Eric Maiwald (Mar 07)
    - Re: auto-reporting to ISPs John Nemeth (Mar 07)
    - UDP flood 28001-28003 George (Mar 07)
    - Re: ingreslock message Jens Hektor (Mar 09)
    - Re: ingreslock message Ex Machina [xm] (Mar 13)
    - Re: ingreslock message Jens Hektor (Mar 13)
- Re: @home: Is *anyone* really home there??? Jude (Mar 03)