Home page logo

basics logo Security Basics mailing list archives

Re: X11 Outgoing
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Tue, 4 Nov 2003 09:18:35 +0100

On 2003-10-31 Brad Arlt wrote:
Your example alert looks like a connection to
pD4B9F42A.dip.t-dialin.net [] from whatever you local ip
is/was.  Many of the hacked machines I have seen over the last few
years are in the dip.t-dialin.net.  That said, I am sure they are a
ISP with real clients doing purhaps legitimate work.

Just a sidenote:

dip.t-dialin.net is used by T-Online (ISP subsidiary of the german
T-Com) for dialup-users.

If you can see no reason why your machine(s) should connect to
pD4B9F42A.dip.t-dialin.net[] then you might have a
problem.  Look into it further.  It either should be stopped, or is
normal network traffic that you should document and alter a rule or
two so you don't get this alert without good cause.

If you feel lazy, just block that IP at your firewall and wait for a
phone call.  This isn't the most customer friendly approach, but
requires almost no effort on your part.

I doubt this will work because IP addresses resolving to
something.dip.t-dialin.net are dynamically assigned when T-Online
customers connect to the internet. The suspected attacker will most
likely disconnect, reconnect and have another IP. You would have to
block the whole T-Online dialin address space for this measure to be

The downside is if the machine is hacked or hackable you have done
nothing to stop that.

This should be fixed in the first place (provided this actually *is* an
attack). Everything else will be dealing with symptoms rather than the
actual disease.

Ansgar Wiechers

The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]