[vox] [OT] Report Hackers?
Jeff Newmiller
vox@lists.lugod.org
Wed, 28 Jan 2004 21:52:26 -0800 (PST)
On Wed, 28 Jan 2004, Robert G. Scofield wrote:
> This evening my son was on the family computer (Win98) and in an hour and a
> half got two messages from Norton Firewall stating that someone at
> 130.161.43.249 was trying to connect to a port commonly used by a Trojan
> horse. The second time the IP address was 130.161.43.249: 3392.
In both cases, the IP address portion is the same. In the second
instance, it shows the port number (most likely of the source). Source
port numbers are almost always assigned "randomly", so they don't mean
much. The destination port is typically the most interesting, since they
typically get used by a particular application (though sometimes different
applications will claim the same port, which the sysadmin has to reconcile
if he wants to run both).
> I assume that this is a dynamically assigned address and that it's not
> possible to figure out who the hacker is. But is one supposed to report
> these IP addresses somewhere? Or does one just forget about it?
Actually "dig -x 130.161.43.249" reports that it is coming from
p2p-measure.ubicom.tudelft.nl, which suggests that your son may have been
using a peer-to-peer application to communicate with a server that was
confirming that he was NOT infected with that trojan. From the name, it
may have something to do with an online game by Ubisoft. Anyway, check the
terms of service for the p2p application he was using... it should say
something about scanning you as a requirement for using the service.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<jdnewmil@dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------