| 1 |
Hi, |
| 2 |
|
| 3 |
On Fri, 8 Jul 2005 15:46:42 +0100 |
| 4 |
Michael Thompson <mike@×××××××××××××××.uk> wrote: |
| 5 |
|
| 6 |
> > > Any one got any ideas? |
| 7 |
> > |
| 8 |
> > you could just try blackholing the IP at your firewall, or as i've |
| 9 |
> > already mentioned - try and contact your ISP with all you know and see |
| 10 |
> > if htey can shed any light on it - its possible a comprimised box. |
| 11 |
> |
| 12 |
> It is firewalled, and blacklisted. Has been for months. I am just curious as |
| 13 |
> to why it is coming back to me. |
| 14 |
|
| 15 |
Well, two possibilities. |
| 16 |
1.) the packets are already mirrored at your own box |
| 17 |
2.) the packets are mirrored at the target box |
| 18 |
|
| 19 |
I guess it's #2, you can find out by tcptracing the wire. |
| 20 |
|
| 21 |
If I were to reproduce this behaviour of the remote box I'd set up an |
| 22 |
iptables rule with the "MIRROR" target. See "man iptables" for an |
| 23 |
explanation. |
| 24 |
|
| 25 |
This may be some scary tactics to irritate the support persons in |
| 26 |
charge of managing the network - and has, according to you notes, |
| 27 |
proven to work for that :-) |
| 28 |
|
| 29 |
My interpretion is: |
| 30 |
hacked box, shell services running on UDP 161, mirroring everything |
| 31 |
else to scare people :-) I think they've chosen SNMP port to hide their |
| 32 |
traffic, maybe to get through some firewalls. |
| 33 |
|
| 34 |
-hwh |
| 35 |
-- |
| 36 |
gentoo-user@g.o mailing list |
Archives