Security Incidents mailing list archives
Re: netpay.tv connections
From: Chris Ess <securityfocus () cae tokimi net>
Date: Mon, 5 Jan 2004 12:11:30 -0500 (EST)
On Sat, 3 Jan 2004, Dave wrote:
For at least the past 36 hours I've been getting connectons from netpay. I'm not sure if they are spoofed or not. The site doesnt appear to be online. Anyone else seeing this? here is a snip of tcpdump. I'm dropping the packets now though. 16:26:04.384446 netpay.tv.50971 > neuromancer.http: S 2510312004:2510312004(0) win 32120 <mss 1460,sackOK,timestamp 1054041 1342177280,nop,wscale 0> (DF)
[snip] I will guess that your getting this off of the machine that hosts 'www.neuromancer.cx'. According to my DNS, 'www.neuromancer.cx' resolves to an IP on 66.0.0.0/8 I had seen the like activity on other machines under 66.0.0.0/8 (the only number these share with 'www.neuromancer.cx' is the initial 66). The source IP is 200.46.203.23, which has a reverse DNS of 'netpay.tv'. ('netpay.tv' itself resolves to 64.116.172.147) Normally, I'd think nothing of it except that machines with several IPs under 66.0.0.0/8 all had connections from this IP in the SYN_RECV state on all of the 66.0.0.0/8 IPs. After restarting the web server on one of these machines, these connections went away, presumably since there was no longer anything listening on 80/tcp, only to be reestablished within the next couple minutes after the webserver came back up. I'm not sure what to make of this behavior. Does anyone have any ideas? This activity seems to have stopped between about 11pm EST on 04 January and 11am EST, 05 January. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- netpay.tv connections Dave (Jan 05)
- Re: netpay.tv connections Harlan Carvey (Jan 05)
- Re: netpay.tv connections Jeremiah Cornelius (Jan 05)
- Re: netpay.tv connections Chris Ess (Jan 05)