«

For post is mostly for the benefit of the archives, but may be of
interest to security researchers of those who have occasion to have dealt
with flextel.com

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.

It may be prudent for others to check their logs or IDS warnings for
similar activity, particularly if you have had any dealings with Flextel.

Any person finding similar attempts is urged to contact BT security,
initially by filing an abuse report using the online form:

http://bt.custhelp.com/app/contact/c/346,3024

The Flying Pigs

On 13/02/2011 13:50, Flying Pigs wrote:
> For post is mostly for the benefit of the archives, but may be of
> interest to security researchers of those who have occasion to have dealt
> with flextel.com
>
> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
> has been seen to make numerous unauthorised attempts to connect to client
> machines on port 113.
>
> It may be prudent for others to check their logs or IDS warnings for
> similar activity, particularly if you have had any dealings with Flextel.
>
> Any person finding similar attempts is urged to contact BT security,
> initially by filing an abuse report using the online form:
>
> http://bt.custhelp.com/app/contact/c/346,3024
>

And BT will be interested because...?

On Sun, 13 Feb 2011 14:09:04 +0000, Peter Watson wrote:

> And BT will be interested because...?
.....

whois 217.40.239.104
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '217.40.239.104 - 217.40.239.111'

inetnum: 217.40.239.104 - 217.40.239.111
netname: Ray-NIXON-000000009115642
descr: BT-ADSL

>
> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
> has been seen to make numerous unauthorised attempts to connect to client
> machines on port 113.
>

As noted in my reply to the multi-post of this on uk.telecom, you should
expect a port 113 access whenever you access a server; its purpose is to
tell the server who is accessing it.

On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

> Flying Pigs wrote:
>
>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>> been seen to make numerous unauthorised attempts to connect to client
>> machines on port 113.
>
> 113 is the ident port, while not widely used these days, it's not
> unheard of for SMTP and IRC software to attempt an ident connection
> (which is why it's better to reject rather than silently drop ident
> packets on an email server so as not to delay proceedings).

Not without some solicitation, which it never had.

Flying Pigs wrote:
> On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
>
>> Flying Pigs wrote:
>>
>>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>>> been seen to make numerous unauthorised attempts to connect to client
>>> machines on port 113.
>> 113 is the ident port, while not widely used these days, it's not
>> unheard of for SMTP and IRC software to attempt an ident connection
>> (which is why it's better to reject rather than silently drop ident
>> packets on an email server so as not to delay proceedings).
>
> Not without some solicitation, which it never had.

It's useless without solicitation, which strongly suggests that your
machine has been compromised and is attacking flextel.

On Sun, 13 Feb 2011 22:41:06 +0000, David Woolley wrote:

> Flying Pigs wrote:
>> On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
>>
>>> Flying Pigs wrote:
>>>
>>>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>>>> been seen to make numerous unauthorised attempts to connect to client
>>>> machines on port 113.
>>> 113 is the ident port, while not widely used these days, it's not
>>> unheard of for SMTP and IRC software to attempt an ident connection
>>> (which is why it's better to reject rather than silently drop ident
>>> packets on an email server so as not to delay proceedings).
>>
>> Not without some solicitation, which it never had.
>
> It's useless without solicitation, which strongly suggests that your
> machine has been compromised and is attacking flextel.

No. It suggests that Flextel are clueless ****wits that can't configure
**** all squared properly.

1: There was no solicitation on our part. I would accept they may attempt
to make use of Ident if I made some form of connection to them in the
first instance, but this was not the case.
It is possible to get it to fire off 113 probes if you connect to it on
25, I agree, but we have not - at any point - done that.

2: Personally I consider Ident to be of more use to hackers and crackers
now than anyone else. Therefore those making use of it are more likely to
be on the miscreant side of the fence.

3: If it's so harmless, why don't they have it open themselves? It's one
thing to hammer others on port 113, but a little ironic they don't offer
the service themselves

ns1.flextel.net (217.40.239.104):
Not shown: 1710 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
4444/tcp open msploit
5060/tcp open vnc

Initially I thought this to be nefarious, and I think it may have roots
in that, but I'm more inclined to think they are clueless ****wits who
can't configure jackshit. Given their inability to send their mailings
from a host with a meaningful, non spammy looking dynamic PTR record
(87-194-178-6.bethere.co.uk[87.194.178.6]) I suspect that view to be
sound.

I also note the group windbag and retard, David Woolley, still has not
offered his IP address - given his earlier musings about how 'safe' it
all was. What a wanker - full of hot air.