Thanks for your help.
With this I sent a small description about how network has bean
setting up and the hardware that the we are using.
Network 1 : 10.10.X.X / 255.255.0.0 (The Other Company/Firewall)
Network 2 : 192.168.5.X.X / 255.255.0.0 (My company)
The Switch we have 2 Vlans.
The Switch and Gateway/Firewall is controlled by the other company.
The Router connect us to the internet. The router is controlled by ISP
-------- -------- -------------
|Router| |HUB | |Comp. (Win)|(192.168.X.X)
|Cisco |---->| |--->|Network 2 |
-------- -------- -------------
(192.168.X.X) | |_____________________
(10.10.X.X) | |(port Vlan2)
v v
---------- ----------(Vlan 2) 192.168.X.X
|Gateway | |Switch |-------->NetWork 2 (Windows)
|FireWall|------------>|3Com |(Vlan 1)
|(Linux) | (port Vlan1)| |-------->NetWork 1 (Windows)
---------- ---------- 10.10.X.X
(10.10.X.X) (10.10.X.X)
----- Original Message -----
From: "Tarragon Allen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, November 20, 2001 11:32 PM
Subject: Re: [expert] Firewall Log Question
> On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote:
> > We are in a mixed network, which includes a router Cisco, a 3COM swich
> > common to the two networks and a hub where gateway/fire wall linux
computer
> > is connected.
> >
> > One of the network is my company network (192.168.X.X / 255.255.0.0. I
am
> > in charge of it) and the other network belongs to other company
(10.10.X.X
> > / 255.255.0.0). This company has a VPN. Now, they are accusing me as
> > hacker, alleging we have tried to go into their VPN. As prove of tha t ,
> > they are showing the following type of message:
>
> How do they know it's your network? The 192.168.x.x range is used by many
> many many people out there to define their internal networks, and is in
fact
> supplied on spec (in one of the RFC's) for this very purpose. Just
showing
> some logs with that IP in it doesn't seem to constitute any proof
whatsoever
> that your particular network was involved.
>
> The actual packets they've listed here appear to be NetBIOS broadcasts.
> These are sent by Windows clients when they are trying to poll the network
> for other Windows machines. It looks to me like Windows machines using
> 192.168.x.x is trying to poll something on their network. Again, no
> indication that it's neccesarily from *your* network, it could be any
machine
> using those IPs with a subnet mask of 255.255.0.0.
>
> If they are seeing these packets, how did they make it there? If they are
> running a VPN, the only way they could see these packets from your network
> would be if someone using that IP connected to their VPN and then
forwarded
> packets to them. Unless they can provide more proof (perhaps with
> explanations of where they think the traffic is coming from, rather than a
> pile of oblique logs from a network and host you have no more information
> about) there's not much you can do.
>
> A "more information is required" situation. Also, I'd assume it's not
> "hacking" - it feels more like some sort of misconfiguration to me.
>
> Btw, is this other company on the same network or share network hardware?
> What connections do you have to this company? Could it be something as
> simple as a patch lead connecting two hubs together?
>
> t
>
> > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> >
> > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
T=109
> > SYN (#70)
> >
> > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17
> > 192.168.2.185:138
> >
> > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71)
> >
> > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6
> >
> > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000
T=109
> > SYN (#70)
>
> --
> PGP key : http://n12turbo.com/tarragon/public.key
>
>
----------------------------------------------------------------------------
----
> Want to buy your Pack or Services from MandrakeSoft?
> Go to http://www.mandrakestore.com
>
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
