Security Incidents mailing list archives
Re: Odd identd behavior
From: kgp () nethere com
Date: Mon, 14 Nov 2005 17:33:16 -0800
Just to reiterate, I'd simply dig or nslookup the ip addresses (or use one of the many nslookup webpages) and see if they have some contact info. Really all you care about at this point is passing off some information to the admin that it looks like he has some nefarious activity on his network. You might also want to give him your ip address (and maybe mac) so he can sift your info out of any forensics he may do. Anything else is just kibitzing. Kevin Quoting Mike Owen <kyphros () gmail com>:
Just to clarify some of the confusion: I'm looking at logs on *my* email server, and network packet captures from *my* network. My email server is sending out ident requests, to port 113 on the affected destination servers. The replies received, instead of being in the standard format as dictated by RFC 1413, are coming back with the "220 ..:: lit-Crw Rulez ::..." and "530 Not logged in..." messages. These messages are coming from the destination servers. As an earlier poster stated, they fit the format of an ftp transaction, aka RFC 959. My server is (to my knowledge) acting fine. Most destination servers return a correctly formatted ident reply when my server contacts them. I'm only receiving the "220 ..:: lit-Crw Rulez ::..." messages from 6 (six) distinct IPs. The comment about the backdoor was idle speculation upon my part about what these messages signified. After reviewing RFC 959 (ftp), I'm quite certain they are in fact coming from an ftp daemon listening on port 113 (ident). I don't really want to post IPs here to a public mailing list, but they appear to be scattered through the US/Europe. I hope this clears things up. Mike
Current thread:
- Re: Odd identd behavior, (continued)
- Re: Odd identd behavior kgp (Nov 14)
- Re: Odd identd behavior Mike Owen (Nov 14)
- Re: Odd identd behavior k levinson (Nov 14)
- Re: Odd identd behavior Steve.Cummings (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 14)
- Re: Odd identd behavior Brian Smith-Sweeney (Nov 14)
- RE: Odd identd behavior k levinson (Nov 14)
- RE: Odd identd behavior Andrew Simmons (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 15)
- Re: Odd identd behavior Mike Owen (Nov 15)
- Re: Odd identd behavior kgp (Nov 15)
- Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)
- Re: Odd identd behavior Barrie Dempster (Nov 16)
- Re: Odd identd behavior Mike Owen (Nov 15)
- Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)
- Re: Odd identd behavior Lionel Ferette (Nov 16)
- Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 17)
- RE: Odd identd behavior Alex (Nov 17)
- Re: Odd identd behavior Manuel Lanctot (Nov 16)
- Re: Odd identd behavior Kevin Wetzel - ISP Toolz (Nov 16)
- Re: Odd identd behavior Tomasz Papszun (Nov 16)
- Re: Odd identd behavior Disco Jonny (Nov 16)