1 |
Michael Thompson wrote: |
2 |
> This IP 212.56.68.108 has been attempting to contact Port 161 UDP for |
3 |
> Months. |
4 |
|
5 |
Are you running SNMP on your box? Port 161 is SNMP, if you have it open |
6 |
to the outside world, could it be collecting data - hence often connections? |
7 |
|
8 |
> |
9 |
> No when I try and run a NMAP scan against the box, I get my own logs filled |
10 |
> with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP Space. |
11 |
> And I dont Understand why! |
12 |
> |
13 |
> The connecting IP is in my ISP range, however it has no rDNS which the ISP |
14 |
> would do according to their technical support. It maps back to |
15 |
> hugeglobal.net |
16 |
|
17 |
Contact your ISPs support department - see if they can help at all? |
18 |
|
19 |
> |
20 |
> I'm not entirely sure it is a customer's machine, even though it is within |
21 |
> the ISP IP range. It's rDNS shows it is |
22 |
> |
23 |
> hugeglobal.net. |
24 |
> |
25 |
> The odd thing to me, is if one does a lookup on hugeglobal.net one gets |
26 |
> |
27 |
> 82.103.128.2 and the rDNS of that is |
28 |
> |
29 |
> e82-103-128-2s.easyspeedy.com |
30 |
> |
31 |
|
32 |
Possible the original hugeglobal.net machine has since changed ISPs but |
33 |
the old IP has been re-assigned without the rDNS entry being changed? |
34 |
|
35 |
> Not one of the local ISP I am using. |
36 |
> |
37 |
> Telnetting to the IP gives this: |
38 |
> |
39 |
> Telnet 212.56.68.108 connects giving... |
40 |
> |
41 |
> _ _ _ |
42 |
> ___ | |_ _ __ _ __ ___ __ _ _ ()_ __ ___ __| | |
43 |
> / _ \| __| '_ \ | '__/ _ \/ _` | | | | | '__/ _ \/ _` | |
44 |
> | (_) | |_| |_) | | | | __/ (_| | |_| | | | | __/ (_| | |
45 |
> \___/ \__| .__/ |_| \___|\__, |\__,_|_|_| \___|\__,_| |
46 |
> |_| |_| |
47 |
> If you do not have a CMN registered OTP device you |
48 |
> will not be able to login. |
49 |
> |
50 |
> OTP USERS: THIS CONNECTION IS NOT ENCRYPTED, BE SMART |
51 |
> |
52 |
> larabee login: |
53 |
> |
54 |
> |
55 |
> Any one got any ideas? |
56 |
> |
57 |
> |
58 |
you could just try blackholing the IP at your firewall, or as i've |
59 |
already mentioned - try and contact your ISP with all you know and see |
60 |
if htey can shed any light on it - its possible a comprimised box. |
61 |
-- |
62 |
Tim Igoe |
63 |
tim@×××××××.uk |
64 |
http://tim.igoe.me.uk - Personal Site |
65 |
http://tv.igoe.me.uk - UK TV Guide |
66 |
|
67 |
"Computers are like Air-con, open windows and they stop working!" |