Just to reiterate, I'd simply dig or nslookup the ip addresses (or use one
of the many nslookup webpages) and see if they have some contact info.
Really all you care about at this point is passing off some information to
the admin that it looks like he has some nefarious activity on his network.
You might also want to give him your ip address (and maybe mac) so he can
sift your info out of any forensics he may do. Anything else is just
kibitzing.
Kevin
Quoting Mike Owen <kyphros@gmail.com>:
Just to clarify some of the confusion:
I'm looking at logs on *my* email server, and network packet captures
from *my* network. My email server is sending out ident requests, to
port 113 on the affected destination servers. The replies received,
instead of being in the standard format as dictated by RFC 1413, are
coming back with the "220 ..:: ?lit?-Cr?w Rulez ::..." and "530 Not
logged in..." messages. These messages are coming from the destination
servers. As an earlier poster stated, they fit the format of an ftp
transaction, aka RFC 959.
My server is (to my knowledge) acting fine. Most destination servers
return a correctly formatted ident reply when my server contacts them.
I'm only receiving the "220 ..:: ?lit?-Cr?w Rulez ::..." messages from
6 (six) distinct IPs.
The comment about the backdoor was idle speculation upon my part about
what these messages signified. After reviewing RFC 959 (ftp), I'm
quite certain they are in fact coming from an ftp daemon listening on
port 113 (ident).
I don't really want to post IPs here to a public mailing list, but
they appear to be scattered through the US/Europe.
I hope this clears things up.
Mike
