Re:ALERT? INGRESLOCK

Discussion in 'other security issues & news' started by RedLobster, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. RedLobster

    RedLobster Guest

    Subject: ingreslock:1524


    Four times in the past hour my box was hit.......twice while here at the forum reading posts and twice while at <google>
    This is extremely abnormal...was only hit once before by this an that was a long time ago.

    ingreslock;1524 is also known as the playboy <com> hack...the one resposible for sending e mail through playboy.....** note: has nothing to do regarding a person visting playboy....its just the nic for ingreslock.
    ingreslock:1524 is a hacker group

    In my case an attempt to take out the firewall occured all four times....each time revealed as localhost: very fast hack attempt...use caution........this wont even be noticed unless you are watching the firewall status or notice a slowdownload in pages loading.....

    It was my thinking that this was a hack used against the solaris box.....
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    From what I just read what ingreslock:1524 is that it is an e-mail that promises access to playboy but they need your credit card no. which is only a phishing trip to get your private info to be exploited later.


    http://www.usethesource.com/articles/01/11/21/123212.shtml


    Here is some more info on this subject.

    http://www.cert.org/incident_notes/IN-99-04.html
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    MOVED: ALERT? INGRESLOCK

    removed - duplicate of article at link in the proceding post

    http://www.usethesource.com/articles/01/11/21/123212.shtml
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    While certain ports are associated with common services and others may be common ports used by malware, it does not necessarily mean that is the only thing that port/service is used for.

    While port 1524 may be associated to ingreslock, it is also in the range of ephemeral ports (1024-5000) which are used by your system locally when establishing connections - you mention seeing this with legitimate outbound connections.

    Can you clarify localhost? If this connection was limited to localhost, that is your own system and not an outside connection.

    When posting concerns about connections or firewall log entries it helps if you include: direction, protocol, source IP/port, destination IP/port (just XXX out you public IP).

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.