| 1 |
On Friday 08 July 2005 16:11, Hans-Werner Hilse wrote: |
| 2 |
> Well, two possibilities. |
| 3 |
> 1.) the packets are already mirrored at your own box |
| 4 |
> 2.) the packets are mirrored at the target box |
| 5 |
> |
| 6 |
> I guess it's #2, you can find out by tcptracing the wire. |
| 7 |
> |
| 8 |
> If I were to reproduce this behaviour of the remote box I'd set up an |
| 9 |
> iptables rule with the "MIRROR" target. See "man iptables" for an |
| 10 |
> explanation. |
| 11 |
|
| 12 |
I am aware of the MIRROR Target, and I agree that this would be the way to do |
| 13 |
this. |
| 14 |
|
| 15 |
> |
| 16 |
> This may be some scary tactics to irritate the support persons in |
| 17 |
> charge of managing the network - and has, according to you notes, |
| 18 |
> proven to work for that :-) |
| 19 |
|
| 20 |
Well it is certainly bugging me. |
| 21 |
|
| 22 |
> |
| 23 |
> My interpretion is: |
| 24 |
> hacked box, shell services running on UDP 161, mirroring everything |
| 25 |
> else to scare people :-) I think they've chosen SNMP port to hide their |
| 26 |
> traffic, maybe to get through some firewalls. |
| 27 |
> |
| 28 |
|
| 29 |
Umm, quite possible. How about they have set their SNMP broadcast to a too |
| 30 |
wide range, which includes the whole subnet? |
| 31 |
|
| 32 |
> -hwh |
| 33 |
|
| 34 |
Many thanks for your input, you have been helpful! |
| 35 |
|
| 36 |
-- |
| 37 |
Mike |
| 38 |
|
| 39 |
To see the world in a grain of sand, |
| 40 |
and to see heaven in a wild flower, |
| 41 |
hold infinity in the palm of your hands, |
| 42 |
and eternity in an hour. |
| 43 |
|
| 44 |
GnuGPG KeyID:=FC0D8D9A |
| 45 |
-- |
| 46 |
gentoo-user@g.o mailing list |
Archives