OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jose J. Cintron (jcintronmitre.org)
Date: Thu Apr 04 2002 - 13:12:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    after a couple of quick WhoIs Lookups on destination address 217.80.102.129
    you get

    IP address: 217.80.102.129
    Host name: pd9506681.dip.t-dialin.net

    inetnum: 217.80.0.0 - 217.89.31.255
    netname: DTAG-DIAL14
    descr: Deutsche Telekom AG
    country: DE
    admin-c: DTIP-RIPE
    tech-c: ST5359-RIPE
    status: ASSIGNED PA
    remarks: ************************************************************
    remarks: * ABUSE CONTACT: abuset-ipnet.de IN CASE OF HACK ATTACKS, *
    remarks: * ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. *
    remarks: ************************************************************
    notify: auftragnic.telekom.de
    notify: dbdnic.dtag.de
    mnt-by: DTAG-NIC
    changed: auftragnic.telekom.de 20020108
    source: RIPE

    route: 217.80.0.0/12
    descr: Deutsche Telekom AG, Internet service provider
    origin: AS3320
    mnt-by: DTAG-RR
    changed: rvNIC.DTAG.DE 20001027
    source: RIPE

    person: DTAG Global IP-Adressing
    address: Deutsche Telekom AG
    address: Postfach 900110
    address: D-90492 Nuernberg
    address: Germany
    phone: +49 911 68909856
    e-mail: ripe.dtiptelekom.de
    nic-hdl: DTIP-RIPE
    mnt-by: DTAG-NIC
    changed: auftragnic.telekom.de 20020311
    source: RIPE

    person: Security Team
    address: Deutsche Telekom AG
    address: Technikniederlassung Schwaebisch Hall
    address: D-89070 Ulm
    address: Germany
    phone: +49 731 100 84055
    fax-no: +49 731 100 84150
    e-mail: abuset-ipnet.de
    nic-hdl: ST5359-RIPE
    notify: auftragnic.telekom.de
    notify: dbdnic.dtag.de
    mnt-by: DTAG-NIC
    changed: auftragnic.telekom.de 20010321
    source: RIPE

    +------------------------------------------
    | José J. Cintrón - <jcintronmitre.org>
    |
    | MITRE Corporation
    | 7515 Colshire Drive
    | Mail Stop W424
    | McLean, VA 22102-7508
    |
    | Phone: 703.883.3040
    | Fax: 703.883.1397
    +------------------------------------------

    -----Original Message-----
    From: Hunter Ely [mailto:hely1lsu.edu]
    Sent: Thursday, April 04, 2002 09:42
    To: focus-mslists.securityfocus.com
    Subject: Re: ntsds.exe or ntsdc.exe

    Sorry that I can't provide a text of header. The guy that had the sniffer
    trace sent me a screen capture of one of the packet headers. What do you
    guys think? The DOD program that several of you mentioned seemed like the
    right kind of application because this machine was moving a substantial
    amount of traffic, but why would it have something like that installed on
    it.

    ----- Original Message -----
    From: "Hunter Ely" <hely1lsu.edu>
    To: <focus-mslists.securityfocus.com>
    Sent: Wednesday, April 03, 2002 1:27 PM
    Subject: ntsds.exe or ntsdc.exe

    > Recently some computers on a few LANs on our network were sending full
    size
    > packets and were the top talkers on campus. When we looked into this
    > further, it appeared that all the machines were Windows machines with a
    > service called either ntsds.exe or ntsdc.exe. This service couldn't be
    > stopped. The only way to keep it from loading was to rename the file.
    The
    > traffic ceased when we finally were able to stop the service. I can't
    seem
    > to find anything about this service anywhere. Has anyone else on the list
    > experienced this or can point me in the right direction? Thanks
    > ------------------------------------------------------
    > Hunter Ely
    > Network Security Analyst, Office of Computing Services
    > Louisiana State University
    > http://hunter.lsu.edu
    >
    >