Re: [gentoo-user] 161 UDP Constant Connections
Hi, On Fri, 8 Jul 2005 16:42:43 +0100 Michael Thompson <[EMAIL PROTECTED]> wrote: > Umm, quite possible. How about they have set their SNMP broadcast to a too > wide range, which includes the whole subnet? Yes, of course, I've mixed up two items you told, my fault. They're sending SNMP, and yes, a too big broadcast would explain this. I've mixed this with the other thing, the telnet access. What's displayed there looks like a OTP (one time password) login to me :-) I've no clue whoever CMN might be... -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] 161 UDP Constant Connections
On Friday 08 July 2005 16:11, Hans-Werner Hilse wrote: > Well, two possibilities. > 1.) the packets are already mirrored at your own box > 2.) the packets are mirrored at the target box > > I guess it's #2, you can find out by tcptracing the wire. > > If I were to reproduce this behaviour of the remote box I'd set up an > iptables rule with the "MIRROR" target. See "man iptables" for an > explanation. I am aware of the MIRROR Target, and I agree that this would be the way to do this. > > This may be some scary tactics to irritate the support persons in > charge of managing the network - and has, according to you notes, > proven to work for that :-) Well it is certainly bugging me. > > My interpretion is: > hacked box, shell services running on UDP 161, mirroring everything > else to scare people :-) I think they've chosen SNMP port to hide their > traffic, maybe to get through some firewalls. > Umm, quite possible. How about they have set their SNMP broadcast to a too wide range, which includes the whole subnet? > -hwh Many thanks for your input, you have been helpful! -- Mike To see the world in a grain of sand, and to see heaven in a wild flower, hold infinity in the palm of your hands, and eternity in an hour. GnuGPG KeyID:=FC0D8D9A -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] 161 UDP Constant Connections
Hi, On Fri, 8 Jul 2005 15:46:42 +0100 Michael Thompson <[EMAIL PROTECTED]> wrote: > > > Any one got any ideas? > > > > you could just try blackholing the IP at your firewall, or as i've > > already mentioned - try and contact your ISP with all you know and see > > if htey can shed any light on it - its possible a comprimised box. > > It is firewalled, and blacklisted. Has been for months. I am just curious as > to why it is coming back to me. Well, two possibilities. 1.) the packets are already mirrored at your own box 2.) the packets are mirrored at the target box I guess it's #2, you can find out by tcptracing the wire. If I were to reproduce this behaviour of the remote box I'd set up an iptables rule with the "MIRROR" target. See "man iptables" for an explanation. This may be some scary tactics to irritate the support persons in charge of managing the network - and has, according to you notes, proven to work for that :-) My interpretion is: hacked box, shell services running on UDP 161, mirroring everything else to scare people :-) I think they've chosen SNMP port to hide their traffic, maybe to get through some firewalls. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] 161 UDP Constant Connections
On Friday 08 July 2005 15:32, Tim Igoe wrote: > Michael Thompson wrote: > > This IP 212.56.68.108 has been attempting to contact Port 161 UDP for > > Months. > > Are you running SNMP on your box? Port 161 is SNMP, if you have it open > to the outside world, could it be collecting data - hence often > connections? Nope. It is closed off and I dont have SNMP running. > > > No when I try and run a NMAP scan against the box, I get my own logs > > filled with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP > > Space. And I dont Understand why! > > > > The connecting IP is in my ISP range, however it has no rDNS which the > > ISP would do according to their technical support. It maps back to > > hugeglobal.net > > Contact your ISPs support department - see if they can help at all? Have done, they are looking into it, but they admit it is strange and have no clue. > > > I'm not entirely sure it is a customer's machine, even though it is > > within the ISP IP range. It's rDNS shows it is > > > > hugeglobal.net. > > > > The odd thing to me, is if one does a lookup on hugeglobal.net one gets > > > > 82.103.128.2 and the rDNS of that is > > > > e82-103-128-2s.easyspeedy.com > > Possible the original hugeglobal.net machine has since changed ISPs but > the old IP has been re-assigned without the rDNS entry being changed? > That is possible, but the ISP says they are still in control of the subnet. > > Any one got any ideas? > > you could just try blackholing the IP at your firewall, or as i've > already mentioned - try and contact your ISP with all you know and see > if htey can shed any light on it - its possible a comprimised box. It is firewalled, and blacklisted. Has been for months. I am just curious as to why it is coming back to me. -- Mike To see the world in a grain of sand, and to see heaven in a wild flower, hold infinity in the palm of your hands, and eternity in an hour. GnuGPG KeyID:=FC0D8D9A -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] 161 UDP Constant Connections
Michael Thompson wrote: > This IP 212.56.68.108 has been attempting to contact Port 161 UDP for > Months. Are you running SNMP on your box? Port 161 is SNMP, if you have it open to the outside world, could it be collecting data - hence often connections? > > No when I try and run a NMAP scan against the box, I get my own logs filled > with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP Space. > And I dont Understand why! > > The connecting IP is in my ISP range, however it has no rDNS which the ISP > would do according to their technical support. It maps back to > hugeglobal.net Contact your ISPs support department - see if they can help at all? > > I'm not entirely sure it is a customer's machine, even though it is within > the ISP IP range. It's rDNS shows it is > > hugeglobal.net. > > The odd thing to me, is if one does a lookup on hugeglobal.net one gets > > 82.103.128.2 and the rDNS of that is > > e82-103-128-2s.easyspeedy.com > Possible the original hugeglobal.net machine has since changed ISPs but the old IP has been re-assigned without the rDNS entry being changed? > Not one of the local ISP I am using. > > Telnetting to the IP gives this: > > Telnet 212.56.68.108 connects giving... > > __ _ >___ | |_ _ ___ __ ___ __ _ _ ()_ __ ___ __| | > / _ \| __| '_ \ | '__/ _ \/ _` | | | | | '__/ _ \/ _` | > | (_) | |_| |_) | | | | __/ (_| | |_| | | | | __/ (_| | > \___/ \__| .__/ |_| \___|\__, |\__,_|_|_| \___|\__,_| >|_| |_| >If you do not have a CMN registered OTP device you >will not be able to login. > >OTP USERS: THIS CONNECTION IS NOT ENCRYPTED, BE SMART > > larabee login: > > > Any one got any ideas? > > you could just try blackholing the IP at your firewall, or as i've already mentioned - try and contact your ISP with all you know and see if htey can shed any light on it - its possible a comprimised box. -- Tim Igoe [EMAIL PROTECTED] http://tim.igoe.me.uk - Personal Site http://tv.igoe.me.uk - UK TV Guide "Computers are like Air-con, open windows and they stop working!" signature.asc Description: OpenPGP digital signature
