1 |
Hi, |
2 |
|
3 |
On Fri, 8 Jul 2005 15:46:42 +0100 |
4 |
Michael Thompson <mike@×××××××××××××××.uk> wrote: |
5 |
|
6 |
> > > Any one got any ideas? |
7 |
> > |
8 |
> > you could just try blackholing the IP at your firewall, or as i've |
9 |
> > already mentioned - try and contact your ISP with all you know and see |
10 |
> > if htey can shed any light on it - its possible a comprimised box. |
11 |
> |
12 |
> It is firewalled, and blacklisted. Has been for months. I am just curious as |
13 |
> to why it is coming back to me. |
14 |
|
15 |
Well, two possibilities. |
16 |
1.) the packets are already mirrored at your own box |
17 |
2.) the packets are mirrored at the target box |
18 |
|
19 |
I guess it's #2, you can find out by tcptracing the wire. |
20 |
|
21 |
If I were to reproduce this behaviour of the remote box I'd set up an |
22 |
iptables rule with the "MIRROR" target. See "man iptables" for an |
23 |
explanation. |
24 |
|
25 |
This may be some scary tactics to irritate the support persons in |
26 |
charge of managing the network - and has, according to you notes, |
27 |
proven to work for that :-) |
28 |
|
29 |
My interpretion is: |
30 |
hacked box, shell services running on UDP 161, mirroring everything |
31 |
else to scare people :-) I think they've chosen SNMP port to hide their |
32 |
traffic, maybe to get through some firewalls. |
33 |
|
34 |
-hwh |
35 |
-- |
36 |
gentoo-user@g.o mailing list |