Article 9062 at 07/03/10 03:11:42 From: C.Hemsing (at mark) gmx.net Subject: [coba-e:09062] Re: CentOS+BQ hacked?

Index: [Article Count Order] [Thread]
Date:  Fri, 9 Mar 2007 19:11:29 +0100
From:  Chris Hemsing <C.Hemsing (at mark) gmx.net>
Subject:  [coba-e:09062] Re: CentOS+BQ hacked?
To:  Arthur Sherman <coba-e (at mark) bluequartz.org>
Message-Id:  <364696028.20070309191129 (at mark) gmx.net>
In-Reply-To:  <009801c76267$ff5eb9a0$3701a8c0@lapxp>
References:  <009801c76267$ff5eb9a0$3701a8c0@lapxp>
X-Mail-Count: 09062

Hello Arthur,

Friday, March 9, 2007, 5:28:40 PM, you wrote:

>> If you ping aca25f24.ipt.aol.com
>> You get back this IP 172.162.95.36 
>> 
>> It sounds a lot like a private IP address or an automatic 
>> address that the
>> NIC takes automatically after not finding a DHCP server.

AS> Ooops. It is private in the range 172.16.0.0 - 172.31.255.255 , as per
AS> http://en.wikipedia.org/wiki/Private_network

AS> It seems to me to be Akamai cache server, but I may be wrong.
AS> Anyway, it seems suspicious. Did you run chkrootkit and all that stuff?
AS> Or, check for changed/created files with 'find'...


AS> Best,

AS> --
AS> Arthur Sherman

AS> +972-52-4878851
AS> http://www.cpt.co.il/ 

172.162.95.36 is NOT within the range of 172.16.0.0 - 172.31.255.255
!!!!
Had it been a reserved address, then there would not be a reverse name
lookup.
It's a dynamically assigned address (usually some customer premises)
by AOL.

-- 
Best regards,
 Chris                            mailto:C.Hemsing (at mark) gmx.net