Security Incidents mailing list archives

Re: ingreslock message

From: emaiwald () FRED NET (Eric Maiwald)
Date: Tue, 7 Mar 2000 15:13:30 -0500


On Sun, 5 Mar 2000, Dino Amato wrote:

I logged this:
Mar  5 15:58:23 monitor tcplogd: ingreslock connection attempt from unknown () sleipnir1 cs ucl ac uk
what does the ingreslock mean and what was this person trying to do?
Thanks


The ingresslock port is 1524 (I think).  It has been used recently
as a backdoor by some intruders.  They add a line to inetd.conf to
accept connections on 1524.

This person may have been looking for systems that have been broken.

Eric

---------------------------------------------------------------------
Eric Maiwald                                        emaiwald () fred net
So Many Hobbies, So little time
---------------------------------------------------------------------

Current thread:

Re: @home: Is *anyone* really home there???, (continued)
- - Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
    - Re: @home: Is *anyone* really home there??? William Annis (Mar 03)
    - scans with spoofed address (was @home: Is *anyone*...) Russell Fulton (Mar 07)
    - Re: @home: Is *anyone* really home there??? Ville (Mar 03)
    - ingreslock message Dino Amato (Mar 05)
    - Re: ingreslock message Graeme Fowler (Mar 07)
    - Re: ingreslock message Dino Amato (Mar 07)
    - Re: ingreslock message Robert Graham (Mar 07)
    - firewall abusing Przemyslaw Frasunek (Mar 07)
    - Re: ingreslock message H D Moore (Mar 07)
    - Re: ingreslock message Eric Maiwald (Mar 07)
    - Re: auto-reporting to ISPs John Nemeth (Mar 07)
    - UDP flood 28001-28003 George (Mar 07)
    - Re: ingreslock message Jens Hektor (Mar 09)
    - Re: ingreslock message Ex Machina [xm] (Mar 13)
    - Re: ingreslock message Jens Hektor (Mar 13)
- Re: @home: Is *anyone* really home there??? Jude (Mar 03)