Re: Tracking down IP's
On Sun, Dec 31, 2000 at 12:16:59PM -0700, JD Kitch wrote:
> Can anyone tell me what this person is looking for here, and how I
> can find out where this is coming from?
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
> Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43)
> Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43)
> Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43)
> Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43)
> Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43)
>
> I've been unable to track it down. I've had pages and pages of this
> every hour since early yesterday, always coming from the same IP, to
> the same port.
>
You can do a search for the port at -
http://www.snort.org/Database/portsearch.asp
nslookup 172.16.72.113
shows -
**** can't find 172.16.72.113: Non-existent host/domain
Can't help you any more than that.
kent
--
"In order to make an apple pie from scratch,
you must first create the universe."
- Carl Sagan
Reply to: