Re: Tracking down IP's

[ktb <x.y.f@home.com>]

On Sun, Dec 31, 2000 at 12:16:59PM -0700, JD Kitch wrote:
> Can anyone tell me what this person is looking for here, and how I
> can find out where this is coming from?
> 
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
> Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43)
> Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43)
> Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43)
> Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43)
> Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43)
> 
> I've been unable to track it down.  I've had pages and pages of this
> every hour since early yesterday, always coming from the same IP, to
> the same port.
> 

	You can do a search for the port at -
	http://www.snort.org/Database/portsearch.asp

	nslookup 172.16.72.113 
	shows -
	**** can't find 172.16.72.113: Non-existent host/domain

	Can't help you any more than that.
	kent

-- 
  "In order to make an apple pie from scratch,
      you must first create the universe."  
                 - Carl Sagan