1 |
On Friday 08 July 2005 16:11, Hans-Werner Hilse wrote: |
2 |
> Well, two possibilities. |
3 |
> 1.) the packets are already mirrored at your own box |
4 |
> 2.) the packets are mirrored at the target box |
5 |
> |
6 |
> I guess it's #2, you can find out by tcptracing the wire. |
7 |
> |
8 |
> If I were to reproduce this behaviour of the remote box I'd set up an |
9 |
> iptables rule with the "MIRROR" target. See "man iptables" for an |
10 |
> explanation. |
11 |
|
12 |
I am aware of the MIRROR Target, and I agree that this would be the way to do |
13 |
this. |
14 |
|
15 |
> |
16 |
> This may be some scary tactics to irritate the support persons in |
17 |
> charge of managing the network - and has, according to you notes, |
18 |
> proven to work for that :-) |
19 |
|
20 |
Well it is certainly bugging me. |
21 |
|
22 |
> |
23 |
> My interpretion is: |
24 |
> hacked box, shell services running on UDP 161, mirroring everything |
25 |
> else to scare people :-) I think they've chosen SNMP port to hide their |
26 |
> traffic, maybe to get through some firewalls. |
27 |
> |
28 |
|
29 |
Umm, quite possible. How about they have set their SNMP broadcast to a too |
30 |
wide range, which includes the whole subnet? |
31 |
|
32 |
> -hwh |
33 |
|
34 |
Many thanks for your input, you have been helpful! |
35 |
|
36 |
-- |
37 |
Mike |
38 |
|
39 |
To see the world in a grain of sand, |
40 |
and to see heaven in a wild flower, |
41 |
hold infinity in the palm of your hands, |
42 |
and eternity in an hour. |
43 |
|
44 |
GnuGPG KeyID:=FC0D8D9A |
45 |
-- |
46 |
gentoo-user@g.o mailing list |