Topic: Is this a successfull, or failed connection attempt

[guest]

Hi,
From the 8th of July to now I have lots of entrirs as below:
Jul  9 12:09:30 merlin oidentd[24966]: Connection from 208-38-92-245.rev.sherbtel.net (208.38.92.245):3696
Jul  9 12:12:30 merlin oidentd[24967]: Connection from 208-38-92-245.rev.sherbtel.net (208.38.92.245):2594
Jul  9 12:13:00 merlin oidentd[24967]: Timeout for request -- Closing connection
Jul  9 12:27:51 merlin oidentd[24970]: Connection from 208-38-92-245.rev.sherbtel.net (208.38.92.245):2192
It looks like attempt or port scan, not sure which, but appreciate experienced feedback on what it means.

[RayG]

I was wondering the same thing. I have 238 of them, each from a different address, in my logs beginning July1. The majority of the ip's involved have been blocked by guardian at some point this month for an IIS exploit attempt.

[NickR]

It's nothing to worry about.  All it is telling you is that a remote machine is doing an auth/ident lookup on your server.  Many mail machines are configured to do this as a check that mail that purports to come from your domain really does.  Some scanners try to determine system information by using this service, but the SME reveals very little information when such a query is made.

For more information, see here:

http://grc.com/port_113.htm

[guest]

I know lots would say it is not important but I believe in a lot of cases it is best to not be found.
I know you can run, but you can't hide etc.
I still think it would help if you could discard pings etc.
As in this post:
http://forums.contribs.org/index.php?topic=23083.0
I do not want to use an RPM for this particular task, it would be nice to just use cl.
Can anyone assist on how to discard pings on 6.0.x

[RayG]

ICMP Echo requests (pings) do seem to be a precursor to a more focused attack but they are certainly not the only way to "find you". In an attempt to keep things on topic, I responded in the thread you referenced with the 'mod' I used for icmp.

[RayG]

It's nothing to worry about.

I'm not exactly worried about it. Even the most lax e-Smith administrator is a better netizen than the hundreds of thousand of Microsoft Windows users with their dsl/cable modems plugged directly into their PC.  I would like to know what's going on though.

On my SME at home, identd is used for irc and webmail authentication. Eliminating those connections, I'm still left with several hundred that cannot be anything other than an exploit attempt. Particularly considering most of those addresses have attempted other exploits in the recent past.

There's generally a good description of any given exploit and the tools that use it but I havn't found anything yet. It may be that were still on the leading edge of the issue and a full analisys hasn't been done yet.

[NickR]

It's nothing to worry about.

I would like to know what's going on though.

AFAIK, auth/ident can't be directly used as an exploit, but it can reveal account names.  Once a cracker has these, he can try using a dictionary attack on SSH, for instance.

It could also simply be an attempt to avoid firewalls which drop pings.