A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.telecom.broadband (UK broadband)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.telecom.broadband (UK broadband) (uk.telecom.broadband) Discussion of broadband services, technology and equipment as provided in the UK. Discussions of specific services based on ADSL, cable modems or other broadband technology are also on-topic. Advertising is not allowed.

Flextel attempting to hack customers on port 113 from217.40.239.104



 
 
Thread Tools Display Modes
  #1  
Old February 13th 11, 01:50 PM posted to uk.telecom.broadband, uk.telecom.voip
Flying Pigs
external usenet poster
 
Posts: 5
Default Flextel attempting to hack customers on port 113 from217.40.239.104

For post is mostly for the benefit of the archives, but may be of
interest to security researchers of those who have occasion to have dealt
with flextel.com

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.

It may be prudent for others to check their logs or IDS warnings for
similar activity, particularly if you have had any dealings with Flextel.

Any person finding similar attempts is urged to contact BT security,
initially by filing an abuse report using the online form:

http://bt.custhelp.com/app/contact/c/346,3024

The Flying Pigs
  #2  
Old February 13th 11, 02:09 PM posted to uk.telecom.broadband,uk.telecom.voip
Peter Watson
external usenet poster
 
Posts: 70
Default Flextel attempting to hack customers on port 113 from 217.40.239.104

On 13/02/2011 13:50, Flying Pigs wrote:
For post is mostly for the benefit of the archives, but may be of
interest to security researchers of those who have occasion to have dealt
with flextel.com

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.

It may be prudent for others to check their logs or IDS warnings for
similar activity, particularly if you have had any dealings with Flextel.

Any person finding similar attempts is urged to contact BT security,
initially by filing an abuse report using the online form:

http://bt.custhelp.com/app/contact/c/346,3024


And BT will be interested because...?

  #3  
Old February 13th 11, 02:33 PM posted to uk.telecom.broadband,uk.telecom.voip
Flying Pigs
external usenet poster
 
Posts: 5
Default Flextel attempting to hack customers on port 113 from217.40.239.104

On Sun, 13 Feb 2011 14:09:04 +0000, Peter Watson wrote:

And BT will be interested because...?

.....

whois 217.40.239.104
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '217.40.239.104 - 217.40.239.111'

inetnum: 217.40.239.104 - 217.40.239.111
netname: Ray-NIXON-000000009115642
descr: BT-ADSL

  #4  
Old February 13th 11, 02:35 PM posted to uk.telecom.broadband,uk.telecom.voip
David Woolley
external usenet poster
 
Posts: 102
Default Flextel attempting to hack customers on port 113 from 217.40.239.104



THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.


As noted in my reply to the multi-post of this on uk.telecom, you should
expect a port 113 access whenever you access a server; its purpose is to
tell the server who is accessing it.
  #5  
Old February 13th 11, 02:48 PM posted to uk.telecom.broadband,uk.telecom.voip; uk.telecom
Flying Pigs
external usenet poster
 
Posts: 5
Default Flextel attempting to hack customers on port 113 from217.40.239.104

On Sun, 13 Feb 2011 14:35:03 +0000, David Woolley wrote:

As noted in my reply to the multi-post of this on uk.telecom, you should
expect a port 113 access whenever you access a server; its purpose is to
tell the server who is accessing it.


But I've not been accessing their server. These are brute force attempts
to connect inbound with no solicitation. AKA nefarious activity. You
support that kind of thing David - or are you speaking on behalf of
Flextel.com?
  #6  
Old February 13th 11, 03:27 PM posted to uk.telecom.broadband,uk.telecom.voip;,uk.telecom
David Woolley
external usenet poster
 
Posts: 102
Default Flextel attempting to hack customers on port 113 from 217.40.239.104

Flying Pigs wrote:
On Sun, 13 Feb 2011 14:35:03 +0000, David Woolley wrote:

As noted in my reply to the multi-post of this on uk.telecom, you should
expect a port 113 access whenever you access a server; its purpose is to
tell the server who is accessing it.


But I've not been accessing their server. These are brute force attempts
to connect inbound with no solicitation. AKA nefarious activity. You
support that kind of thing David - or are you speaking on behalf of
Flextel.com?


Port 113 is of no use unless there is an existing connection. If you
really don't have a connection, you are dealing with a broken system not
a hostile one. I have a couple of flextel numbers but my only relation
is as a customer.
  #7  
Old February 13th 11, 04:55 PM posted to uk.telecom.broadband,uk.telecom.voip
Andy Burns
external usenet poster
 
Posts: 486
Default Flextel attempting to hack customers on port 113 from 217.40.239.104

Flying Pigs wrote:

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net)
has been seen to make numerous unauthorised attempts to connect to client
machines on port 113.


113 is the ident port, while not widely used these days, it's not
unheard of for SMTP and IRC software to attempt an ident connection
(which is why it's better to reject rather than silently drop ident
packets on an email server so as not to delay proceedings).
  #8  
Old February 13th 11, 05:05 PM posted to uk.telecom.broadband,uk.telecom.voip
Flying Pigs
external usenet poster
 
Posts: 5
Default Flextel attempting to hack customers on port 113 from217.40.239.104

On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

Flying Pigs wrote:

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
been seen to make numerous unauthorised attempts to connect to client
machines on port 113.


113 is the ident port, while not widely used these days, it's not
unheard of for SMTP and IRC software to attempt an ident connection
(which is why it's better to reject rather than silently drop ident
packets on an email server so as not to delay proceedings).


Not without some solicitation, which it never had.
  #9  
Old February 13th 11, 10:41 PM posted to uk.telecom.broadband,uk.telecom.voip
David Woolley
external usenet poster
 
Posts: 102
Default Flextel attempting to hack customers on port 113 from 217.40.239.104

Flying Pigs wrote:
On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

Flying Pigs wrote:

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
been seen to make numerous unauthorised attempts to connect to client
machines on port 113.

113 is the ident port, while not widely used these days, it's not
unheard of for SMTP and IRC software to attempt an ident connection
(which is why it's better to reject rather than silently drop ident
packets on an email server so as not to delay proceedings).


Not without some solicitation, which it never had.


It's useless without solicitation, which strongly suggests that your
machine has been compromised and is attacking flextel.
  #10  
Old February 14th 11, 05:55 AM posted to uk.telecom.broadband,uk.telecom.voip
Flying Pigs
external usenet poster
 
Posts: 5
Default Flextel attempting to hack customers on port 113 from217.40.239.104

On Sun, 13 Feb 2011 22:41:06 +0000, David Woolley wrote:

Flying Pigs wrote:
On Sun, 13 Feb 2011 16:55:28 +0000, Andy Burns wrote:

Flying Pigs wrote:

THIS HOST: 217.40.239.104 (ns1.flextel.net/jupiter.flextel.net) has
been seen to make numerous unauthorised attempts to connect to client
machines on port 113.
113 is the ident port, while not widely used these days, it's not
unheard of for SMTP and IRC software to attempt an ident connection
(which is why it's better to reject rather than silently drop ident
packets on an email server so as not to delay proceedings).


Not without some solicitation, which it never had.


It's useless without solicitation, which strongly suggests that your
machine has been compromised and is attacking flextel.


No. It suggests that Flextel are clueless ****wits that can't configure
**** all squared properly.

1: There was no solicitation on our part. I would accept they may attempt
to make use of Ident if I made some form of connection to them in the
first instance, but this was not the case.
It is possible to get it to fire off 113 probes if you connect to it on
25, I agree, but we have not - at any point - done that.

2: Personally I consider Ident to be of more use to hackers and crackers
now than anyone else. Therefore those making use of it are more likely to
be on the miscreant side of the fence.

3: If it's so harmless, why don't they have it open themselves? It's one
thing to hammer others on port 113, but a little ironic they don't offer
the service themselves

ns1.flextel.net (217.40.239.104):
Not shown: 1710 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
443/tcp open https
4444/tcp open msploit
5060/tcp open vnc

Initially I thought this to be nefarious, and I think it may have roots
in that, but I'm more inclined to think they are clueless ****wits who
can't configure jack****. Given their inability to send their mailings
from a host with a meaningful, non spammy looking dynamic PTR record
(87-194-178-6.bethere.co.uk[87.194.178.6]) I suspect that view to be
sound.

I also note the group windbag and retard, David Woolley, still has not
offered his IP address - given his earlier musings about how 'safe' it
all was. What a ****** - full of hot air.

 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Need a Leeds (113) Number E27002 uk.telecom.voip (UK VOIP) 4 April 23rd 10 08:09 PM
Need a Leeds (113) Number E27002 uk.telecom.voip (UK VOIP) 0 April 23rd 10 07:29 PM
Networking Error Message When attempting to read Eudora E-Mails across a LAN [email protected] uk.comp.home-networking (UK home networking) 1 March 3rd 07 07:59 AM
FleXtel and 056 numbers uk.telecom.voip (UK VOIP) 1 September 23rd 05 06:34 PM
Plusnet attempting to ignore their way out of contract? Alex K uk.telecom.broadband (UK broadband) 67 November 19th 04 11:46 PM


All times are GMT +1. The time now is 06:37 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.