Flextel attempting to hack customers on port 113 from217.40.239.104

Discussion in 'UK VOIP' started by Flying Pigs, Feb 13, 2011.

  1. Flying Pigs

    Flying Pigs Guest

    For post is mostly for the benefit of the archives, but may be of
    interest to security researchers of those who have occasion to have dealt
    with flextel.com

    THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
    has been seen to make numerous unauthorised attempts to connect to client
    machines on port 113.

    It may be prudent for others to check their logs or IDS warnings for
    similar activity, particularly if you have had any dealings with Flextel.

    Any person finding similar attempts is urged to contact BT security,
    initially by filing an abuse report using the online form:

    http://bt.custhelp.com/app/contact/c/346,3024

    The Flying Pigs
     
    Flying Pigs, Feb 13, 2011
    #1
    1. Advertising

  2. Flying Pigs

    Peter Watson Guest

    Re: Flextel attempting to hack customers on port 113 from 217.40.239.104

    On 13/02/2011 13:50, Flying Pigs wrote:
    > For post is mostly for the benefit of the archives, but may be of
    > interest to security researchers of those who have occasion to have dealt
    > with flextel.com
    >
    > THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
    > has been seen to make numerous unauthorised attempts to connect to client
    > machines on port 113.
    >
    > It may be prudent for others to check their logs or IDS warnings for
    > similar activity, particularly if you have had any dealings with Flextel.
    >
    > Any person finding similar attempts is urged to contact BT security,
    > initially by filing an abuse report using the online form:
    >
    > http://bt.custhelp.com/app/contact/c/346,3024
    >


    And BT will be interested because...?
     
    Peter Watson, Feb 13, 2011
    #2
    1. Advertising

  3. Flying Pigs

    Flying Pigs Guest

    On Sun, 13 Feb 2011 14:09:04 +0000, Peter Watson wrote:

    > And BT will be interested because...?

    .....

    whois 217.40.239.104
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Note: this output has been filtered.
    % To receive output for a database update, use the "-B" flag.

    % Information related to '217.40.239.104 - 217.40.239.111'

    inetnum: 217.40.239.104 - 217.40.239.111
    netname: Ray-NIXON-000000009115642
    descr: BT-ADSL
     
    Flying Pigs, Feb 13, 2011
    #3
  4. Re: Flextel attempting to hack customers on port 113 from 217.40.239.104


    >
    > THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
    > has been seen to make numerous unauthorised attempts to connect to client
    > machines on port 113.
    >


    As noted in my reply to the multi-post of this on uk.telecom, you should
    expect a port 113 access whenever you access a server; its purpose is to
    tell the server who is accessing it.
     
    David Woolley, Feb 13, 2011
    #4
  5. Flying Pigs

    Flying Pigs Guest

    On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

    > Flying Pigs wrote:
    >
    >> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
    >> been seen to make numerous unauthorised attempts to connect to client
    >> machines on port 113.

    >
    > 113 is the ident port, while not widely used these days, it's not
    > unheard of for SMTP and IRC software to attempt an ident connection
    > (which is why it's better to reject rather than silently drop ident
    > packets on an email server so as not to delay proceedings).


    Not without some solicitation, which it never had.
     
    Flying Pigs, Feb 13, 2011
    #5
  6. Re: Flextel attempting to hack customers on port 113 from 217.40.239.104

    Flying Pigs wrote:
    > On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
    >
    >> Flying Pigs wrote:
    >>
    >>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
    >>> been seen to make numerous unauthorised attempts to connect to client
    >>> machines on port 113.

    >> 113 is the ident port, while not widely used these days, it's not
    >> unheard of for SMTP and IRC software to attempt an ident connection
    >> (which is why it's better to reject rather than silently drop ident
    >> packets on an email server so as not to delay proceedings).

    >
    > Not without some solicitation, which it never had.


    It's useless without solicitation, which strongly suggests that your
    machine has been compromised and is attacking flextel.
     
    David Woolley, Feb 13, 2011
    #6
  7. Flying Pigs

    Flying Pigs Guest

    On Sun, 13 Feb 2011 22:41:06 +0000, David Woolley wrote:

    > Flying Pigs wrote:
    >> On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:
    >>
    >>> Flying Pigs wrote:
    >>>
    >>>> THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
    >>>> been seen to make numerous unauthorised attempts to connect to client
    >>>> machines on port 113.
    >>> 113 is the ident port, while not widely used these days, it's not
    >>> unheard of for SMTP and IRC software to attempt an ident connection
    >>> (which is why it's better to reject rather than silently drop ident
    >>> packets on an email server so as not to delay proceedings).

    >>
    >> Not without some solicitation, which it never had.

    >
    > It's useless without solicitation, which strongly suggests that your
    > machine has been compromised and is attacking flextel.


    No. It suggests that Flextel are clueless fuckwits that can't configure
    **** all squared properly.

    1: There was no solicitation on our part. I would accept they may attempt
    to make use of Ident if I made some form of connection to them in the
    first instance, but this was not the case.
    It is possible to get it to fire off 113 probes if you connect to it on
    25, I agree, but we have not - at any point - done that.

    2: Personally I consider Ident to be of more use to hackers and crackers
    now than anyone else. Therefore those making use of it are more likely to
    be on the miscreant side of the fence.

    3: If it's so harmless, why don't they have it open themselves? It's one
    thing to hammer others on port 113, but a little ironic they don't offer
    the service themselves

    ns1.flextel.net (217.40.239.104):
    Not shown: 1710 filtered ports
    PORT STATE SERVICE
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    443/tcp open https
    4444/tcp open msploit
    5060/tcp open vnc

    Initially I thought this to be nefarious, and I think it may have roots
    in that, but I'm more inclined to think they are clueless fuckwits who
    can't configure jackshit. Given their inability to send their mailings
    from a host with a meaningful, non spammy looking dynamic PTR record
    (87-194-178-6.bethere.co.uk[87.194.178.6]) I suspect that view to be
    sound.

    I also note the group windbag and retard, David Woolley, still has not
    offered his IP address - given his earlier musings about how 'safe' it
    all was. What a wanker - full of hot air.
     
    Flying Pigs, Feb 14, 2011
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. URSUS
    Replies:
    0
    Views:
    2,648
    URSUS
    Oct 10, 2004
  2. DZN

    255.250.250.239

    DZN, Dec 28, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    643
    Sky King
    Dec 28, 2004
  3. Guest

    FleXtel and 056 numbers

    Guest, Sep 23, 2005, in forum: UK VOIP
    Replies:
    1
    Views:
    664
    Anon Y Mous
    Sep 23, 2005
  4. reshman

    port 113 hits

    reshman, Oct 17, 2003, in forum: Computer Security
    Replies:
    9
    Views:
    577
    Don Kelloway
    Oct 18, 2003
  5. RadarG

    trying to stealth port 113

    RadarG, Dec 10, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    2,883
    RadarG
    Dec 10, 2003
Loading...

Share This Page