Second Life Forums Archive - Strange intrusion detections

Anousjka Vanbeeck

Registered User

Join date: 2 Feb 2007

Posts: 8

08-11-2008 00:32

@ Lindenlabs

i'm not sure if this is the right place to report this but :

During a check of my firewall log's i spotted some strange entry's.
a traceroute of the entry's resulted in "No match for LINDENLABS.COM"

Log entry:

09 aug 2008 08:39:23 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 1730
09 aug 2008 11:00:15 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 4982
10 aug 2008 23:13:24 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 2288

A little info check also learned me that port 1730 is often used by a program named roketz,
and port 2288 by a program named NETML.

Again i do not know if this is the right place to mention this,
however i do hope there will be looked into these strange connections bij lindenlabs staff.

Regards

Meade Paravane

Hedgehog

Join date: 21 Nov 2006

Posts: 4,845

08-11-2008 07:51

Both lindenlab.com and lindenlabs.com seem to be owned by LL. Maybe the version with the s, which is not the 'correct' name for LL doesn't do reverse dns?

edit: or are you worried about the port numbers? Are these incoming connections or outgoing?

_____________________

Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!!
- Go here: http://jira.secondlife.com/browse/SVC-1224
- If you see "if you were logged in.." on the left, click it and log in
- Click the "Vote for it" link on the left

Anousjka Vanbeeck

Registered User

Join date: 2 Feb 2007

Posts: 8

08-11-2008 09:10

the conesctions are incomming ones,.and the port numbers itself do not look familiar to me for secondlife usage either.
if SL would use those numbers then i would have a problem of some kind since the connections where blocked by my firewall.
Also would there be more registrations of the detected ports.
I'm in SL since nov 30 2006 and this is the first time i discovered this.

My personal simple conclusion is that someone try's to attack to gain access or some like that and making it look like it comes from lindenlabs.

Meade Paravane

Hedgehog

Join date: 21 Nov 2006

Posts: 4,845

08-11-2008 09:31

Well, sim946.agni.lindenlab.com (no 's') is indeed IP 8.4.129.96.

Did these entries happen while you were in SL? Do you have any problems moving around when you're in SL?

I guess it could be somebody trying to hack you but I think it's more likely that your firewall log is showing you local port numbers instead of remote port numbers. Local port numbers are pretty much random..

_____________________

Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!!
- Go here: http://jira.secondlife.com/browse/SVC-1224
- If you see "if you were logged in.." on the left, click it and log in
- Click the "Vote for it" link on the left

Strange intrusion detections
Anousjka Vanbeeck Registered User Join date: 2 Feb 2007 Posts: 8	08-11-2008 00:32 @ Lindenlabs i'm not sure if this is the right place to report this but : During a check of my firewall log's i spotted some strange entry's. a traceroute of the entry's resulted in "No match for LINDENLABS.COM" Log entry: 09 aug 2008 08:39:23 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 1730 09 aug 2008 11:00:15 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 4982 10 aug 2008 23:13:24 ip: 8.4.129.96 sim946.agni.lindenlabs.com port 2288 A little info check also learned me that port 1730 is often used by a program named roketz, and port 2288 by a program named NETML. Again i do not know if this is the right place to mention this, however i do hope there will be looked into these strange connections bij lindenlabs staff. Regards
Meade Paravane Hedgehog Join date: 21 Nov 2006 Posts: 4,845	08-11-2008 07:51 Both lindenlab.com and lindenlabs.com seem to be owned by LL. Maybe the version with the s, which is not the 'correct' name for LL doesn't do reverse dns? edit: or are you worried about the port numbers? Are these incoming connections or outgoing? _____________________ Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!! - Go here: http://jira.secondlife.com/browse/SVC-1224 - If you see "if you were logged in.." on the left, click it and log in - Click the "Vote for it" link on the left
Anousjka Vanbeeck Registered User Join date: 2 Feb 2007 Posts: 8	08-11-2008 09:10 the conesctions are incomming ones,.and the port numbers itself do not look familiar to me for secondlife usage either. if SL would use those numbers then i would have a problem of some kind since the connections where blocked by my firewall. Also would there be more registrations of the detected ports. I'm in SL since nov 30 2006 and this is the first time i discovered this. My personal simple conclusion is that someone try's to attack to gain access or some like that and making it look like it comes from lindenlabs.
Meade Paravane Hedgehog Join date: 21 Nov 2006 Posts: 4,845	08-11-2008 09:31 Well, sim946.agni.lindenlab.com (no 's') is indeed IP 8.4.129.96. Did these entries happen while you were in SL? Do you have any problems moving around when you're in SL? I guess it could be somebody trying to hack you but I think it's more likely that your firewall log is showing you local port numbers instead of remote port numbers. Local port numbers are pretty much random.. _____________________ Tired of shouting clubs and lucky chairs? Vote for llParcelSay!!! - Go here: http://jira.secondlife.com/browse/SVC-1224 - If you see "if you were logged in.." on the left, click it and log in - Click the "Vote for it" link on the left

Welcome to the Second Life Forums Archive

Strange intrusion detections