PDA

View Full Version : Re:ALERT? INGRESLOCK

RedLobster
April 1st, 2004, 07:39 PM
Subject: ingreslock:1524


Four times in the past hour my box was hit.......twice while here at the forum reading posts and twice while at <google>
This is extremely abnormal...was only hit once before by this an that was a long time ago.

ingreslock;1524 is also known as the playboy <com> hack...the one resposible for sending e mail through playboy.....** note: has nothing to do regarding a person visting playboy....its just the nic for ingreslock.
ingreslock:1524 is a hacker group

In my case an attempt to take out the firewall occured all four times....each time revealed as localhost: very fast hack attempt...use caution........this wont even be noticed unless you are watching the firewall status or notice a slowdownload in pages loading.....

It was my thinking that this was a hack used against the solaris box.....
bigc73542
April 1st, 2004, 07:56 PM
From what I just read what ingreslock:1524 is that it is an e-mail that promises access to playboy but they need your credit card no. which is only a phishing trip to get your private info to be exploited later.


http://www.usethesource.com/articles/01/11/21/123212.shtml


Here is some more info on this subject.

http://www.cert.org/incident_notes/IN-99-04.html
bigc73542
April 1st, 2004, 08:11 PM
removed - duplicate of article at link in the proceding post

http://www.usethesource.com/articles/01/11/21/123212.shtml
CrazyM
April 4th, 2004, 06:46 PM
While certain ports are associated with common services and others may be common ports used by malware, it does not necessarily mean that is the only thing that port/service is used for.

While port 1524 may be associated to ingreslock, it is also in the range of ephemeral ports (1024-5000) which are used by your system locally when establishing connections - you mention seeing this with legitimate outbound connections.

-{ Quote: "In my case an attempt to take out the firewall occured all four times....each time revealed as localhost:" }-

Can you clarify localhost? If this connection was limited to localhost, that is your own system and not an outside connection.

When posting concerns about connections or firewall log entries it helps if you include: direction, protocol, source IP/port, destination IP/port (just XXX out you public IP).

Regards,

CrazyM