Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] ftp login tries with private IP
  • From: andrew@xxxxxxxxxxx
  • Date: Fri, 8 Dec 2000 08:25:12 +0200 (SAST)
  • Message-id: <Pine.LNX.4.21.0012080810490.18406-100000@xxxxxxxxxxxxxxxxx>
It is possible that an intruder has compromised the machine on which you
were running powerpoint. This is one of the fields where windows really
excels - running stealth processes (back orifice, netbus, ...). What did
netstat -a on the windows machine say at the time? (Not necessarily the
real netstat anymore though...)

It is also possible that another machine on the same network is doing some
complex network sniffing and packet forging thing in order to impersonate
another machine (libnet is available for NT, AFAIK).

How to get an internal IP address? The IP address of the intranet machine
is often exposed by mail headers.

&:-)

'Twas 17:40 Yesterday when webmaster spake thus:

> Dear List,
> Is it possible to trace back an intruder who tried to compromise as
> "webmaster" as if coming from an existing private intranet IP?
> I was working exactly on that intranet machine whose private IP appeared in
> logs, and I was using Powerpoint and nothing else was running in the time
> being logged.
> Attempted failed however since in.ftpd is not running. But his knowing the
> IP of intranet machine may indicate some sniffing, may it not.

--
Deadbat Dustbian LuSE Hackware Also-randrake
Line Ucks Lean Ucks Loon Icks Lynne Nicks
free, dim (two chews)



< Previous Next >
References