Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > UK VOIP > Flextel attempting to hack customers on port 113 from217.40.239.104

Reply
Thread Tools

Flextel attempting to hack customers on port 113 from217.40.239.104

 
 
Flying Pigs
Guest
Posts: n/a
 
      02-13-2011
For post is mostly for the benefit of the archives, but may be of
interest to security researchers of those who have occasion to have dealt
with flextel.com

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.

It may be prudent for others to check their logs or IDS warnings for
similar activity, particularly if you have had any dealings with Flextel.

Any person finding similar attempts is urged to contact BT security,
initially by filing an abuse report using the online form:

http://bt.custhelp.com/app/contact/c/346,3024

The Flying Pigs
 
Reply With Quote
 
 
 
 
Peter Watson
Guest
Posts: n/a
 
      02-13-2011
On 13/02/2011 13:50, Flying Pigs wrote:
> For post is mostly for the benefit of the archives, but may be of
> interest to security researchers of those who have occasion to have dealt
> with flextel.com
>
> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
> has been seen to make numerous unauthorised attempts to connect to client
> machines on port 113.
>
> It may be prudent for others to check their logs or IDS warnings for
> similar activity, particularly if you have had any dealings with Flextel.
>
> Any person finding similar attempts is urged to contact BT security,
> initially by filing an abuse report using the online form:
>
> http://bt.custhelp.com/app/contact/c/346,3024
>


And BT will be interested because...?

 
Reply With Quote
 
 
 
 
Flying Pigs
Guest
Posts: n/a
 
      02-13-2011
On Sun, 13 Feb 2011 14:09:04 +0000, Peter Watson wrote:

> And BT will be interested because...?

.....

whois 217.40.239.104
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '217.40.239.104 - 217.40.239.111'

inetnum: 217.40.239.104 - 217.40.239.111
netname: Ray-NIXON-000000009115642
descr: BT-ADSL

 
Reply With Quote
 
David Woolley
Guest
Posts: n/a
 
      02-13-2011

>
> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
> has been seen to make numerous unauthorised attempts to connect to client
> machines on port 113.
>


As noted in my reply to the multi-post of this on uk.telecom, you should
expect a port 113 access whenever you access a server; its purpose is to
tell the server who is accessing it.
 
Reply With Quote
 
Flying Pigs
Guest
Posts: n/a
 
      02-13-2011
On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

> Flying Pigs wrote:
>
>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>> been seen to make numerous unauthorised attempts to connect to client
>> machines on port 113.

>
> 113 is the ident port, while not widely used these days, it's not
> unheard of for SMTP and IRC software to attempt an ident connection
> (which is why it's better to reject rather than silently drop ident
> packets on an email server so as not to delay proceedings).


Not without some solicitation, which it never had.
 
Reply With Quote
 
David Woolley
Guest
Posts: n/a
 
      02-13-2011
Flying Pigs wrote:
> On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
>
>> Flying Pigs wrote:
>>
>>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>>> been seen to make numerous unauthorised attempts to connect to client
>>> machines on port 113.

>> 113 is the ident port, while not widely used these days, it's not
>> unheard of for SMTP and IRC software to attempt an ident connection
>> (which is why it's better to reject rather than silently drop ident
>> packets on an email server so as not to delay proceedings).

>
> Not without some solicitation, which it never had.


It's useless without solicitation, which strongly suggests that your
machine has been compromised and is attacking flextel.
 
Reply With Quote
 
Flying Pigs
Guest
Posts: n/a
 
      02-14-2011
On Sun, 13 Feb 2011 22:41:06 +0000, David Woolley wrote:

> Flying Pigs wrote:
>> On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
>>
>>> Flying Pigs wrote:
>>>
>>>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
>>>> been seen to make numerous unauthorised attempts to connect to client
>>>> machines on port 113.
>>> 113 is the ident port, while not widely used these days, it's not
>>> unheard of for SMTP and IRC software to attempt an ident connection
>>> (which is why it's better to reject rather than silently drop ident
>>> packets on an email server so as not to delay proceedings).

>>
>> Not without some solicitation, which it never had.

>
> It's useless without solicitation, which strongly suggests that your
> machine has been compromised and is attacking flextel.


No. It suggests that Flextel are clueless ****wits that can't configure
**** all squared properly.

1: There was no solicitation on our part. I would accept they may attempt
to make use of Ident if I made some form of connection to them in the
first instance, but this was not the case.
It is possible to get it to fire off 113 probes if you connect to it on
25, I agree, but we have not - at any point - done that.

2: Personally I consider Ident to be of more use to hackers and crackers
now than anyone else. Therefore those making use of it are more likely to
be on the miscreant side of the fence.

3: If it's so harmless, why don't they have it open themselves? It's one
thing to hammer others on port 113, but a little ironic they don't offer
the service themselves

ns1.flextel.net (217.40.239.104):
Not shown: 1710 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
4444/tcp open msploit
5060/tcp open vnc

Initially I thought this to be nefarious, and I think it may have roots
in that, but I'm more inclined to think they are clueless ****wits who
can't configure jackshit. Given their inability to send their mailings
from a host with a meaningful, non spammy looking dynamic PTR record
(87-194-178-6.bethere.co.uk[87.194.178.6]) I suspect that view to be
sound.

I also note the group windbag and retard, David Woolley, still has not
offered his IP address - given his earlier musings about how 'safe' it
all was. What a wanker - full of hot air.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FleXtel and 056 numbers UK VOIP 1 09-23-2005 05:34 PM
XP problem - error message "ACPI BIOS is attempting to write to an illegal IO port address" (or read from) URSUS Computer Support 0 10-10-2004 12:40 PM
trying to stealth port 113 RadarG Computer Security 2 12-10-2003 07:40 PM
port 113 hits reshman Computer Security 9 10-18-2003 03:10 AM
OT: Port 113 picayunish HTML 28 10-13-2003 11:35 PM



Advertisments