[gentoo-user] 161 UDP Constant Connections

[gentoo-user] 161 UDP Constant Connections

[Michael Thompson]

[-- Attachment #1: Type: text/plain, Size: 1544 bytes --]

This IP 212.56.68.108 has been attempting to contact Port 161 UDP for
Months.

No when I try and run a NMAP scan against the box, I get my own logs filled
with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP Space.
And I dont Understand why!

The connecting IP is in my ISP range, however it has no rDNS which the ISP
would do according to their technical support. It maps back to
hugeglobal.net

I'm not entirely sure it is a customer's machine, even though it is within
the ISP IP range.  It's rDNS shows it is

hugeglobal.net.  

The odd thing to me, is if one does a lookup on hugeglobal.net one gets

82.103.128.2  and the rDNS of that is

e82-103-128-2s.easyspeedy.com

Not one of the local ISP I am using. 

Telnetting to the IP gives this:

Telnet 212.56.68.108 connects giving...

        _                                _              _
   ___ | |_ _ __    _ __ ___  __ _ _   ()_ __ ___  __| |
  / _ \| __| '_ \  | '__/ _ \/ _` | | | | | '__/ _ \/ _` |
| (_) | |_| |_) | | | |  __/ (_| | |_| | | | |  __/ (_| |
  \___/ \__| .__/  |_|  \___|\__, |\__,_|_|_|  \___|\__,_|
           |_|                  |_|
   If you do not have a CMN registered OTP device you
   will not be able to login.

   OTP USERS:  THIS CONNECTION IS NOT ENCRYPTED, BE SMART

larabee login:


Any one got any ideas?


-- 
Mike

To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.

GnuGPG KeyID:=FC0D8D9A

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] 161 UDP Constant Connections

[Tim Igoe]

[-- Attachment #1: Type: text/plain, Size: 2171 bytes --]



Michael Thompson wrote:
> This IP 212.56.68.108 has been attempting to contact Port 161 UDP for
> Months.

Are you running SNMP on your box? Port 161 is SNMP, if you have it open
to the outside world, could it be collecting data - hence often connections?

> 
> No when I try and run a NMAP scan against the box, I get my own logs filled
> with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP Space.
> And I dont Understand why!
> 
> The connecting IP is in my ISP range, however it has no rDNS which the ISP
> would do according to their technical support. It maps back to
> hugeglobal.net

Contact your ISPs support department - see if they can help at all?

> 
> I'm not entirely sure it is a customer's machine, even though it is within
> the ISP IP range.  It's rDNS shows it is
> 
> hugeglobal.net.  
> 
> The odd thing to me, is if one does a lookup on hugeglobal.net one gets
> 
> 82.103.128.2  and the rDNS of that is
> 
> e82-103-128-2s.easyspeedy.com
> 

Possible the original hugeglobal.net machine has since changed ISPs but
the old IP has been re-assigned without the rDNS entry being changed?

> Not one of the local ISP I am using. 
> 
> Telnetting to the IP gives this:
> 
> Telnet 212.56.68.108 connects giving...
> 
>         _                                _              _
>    ___ | |_ _ __    _ __ ___  __ _ _   ()_ __ ___  __| |
>   / _ \| __| '_ \  | '__/ _ \/ _` | | | | | '__/ _ \/ _` |
> | (_) | |_| |_) | | | |  __/ (_| | |_| | | | |  __/ (_| |
>   \___/ \__| .__/  |_|  \___|\__, |\__,_|_|_|  \___|\__,_|
>            |_|                  |_|
>    If you do not have a CMN registered OTP device you
>    will not be able to login.
> 
>    OTP USERS:  THIS CONNECTION IS NOT ENCRYPTED, BE SMART
> 
> larabee login:
> 
> 
> Any one got any ideas?
> 
> 
you could just try blackholing the IP at your firewall, or as i've
already mentioned - try and contact your ISP with all you know and see
if htey can shed any light on it - its possible a comprimised box.
-- 
Tim Igoe
tim@igoe.me.uk
http://tim.igoe.me.uk - Personal Site
http://tv.igoe.me.uk - UK TV Guide

"Computers are like Air-con, open windows and they stop working!"

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] 161 UDP Constant Connections

[Michael Thompson]

On Friday 08 July 2005 15:32, Tim Igoe wrote:
> Michael Thompson wrote:
> > This IP 212.56.68.108 has been attempting to contact Port 161 UDP for
> > Months.
>
> Are you running SNMP on your box? Port 161 is SNMP, if you have it open
> to the outside world, could it be collecting data - hence often
> connections?

Nope. It is closed off and I dont have SNMP running.

>
> > No when I try and run a NMAP scan against the box, I get my own logs
> > filled with the NMAP Scan. It is like 212.56.68.108 is mirroring to my IP
> > Space. And I dont Understand why!
> >
> > The connecting IP is in my ISP range, however it has no rDNS which the
> > ISP would do according to their technical support. It maps back to
> > hugeglobal.net
>
> Contact your ISPs support department - see if they can help at all?

Have done, they are looking into it, but they admit it is strange and have no 
clue.

>
> > I'm not entirely sure it is a customer's machine, even though it is
> > within the ISP IP range.  It's rDNS shows it is
> >
> > hugeglobal.net.
> >
> > The odd thing to me, is if one does a lookup on hugeglobal.net one gets
> >
> > 82.103.128.2  and the rDNS of that is
> >
> > e82-103-128-2s.easyspeedy.com
>
> Possible the original hugeglobal.net machine has since changed ISPs but
> the old IP has been re-assigned without the rDNS entry being changed?
>

That is possible, but the ISP says they are still in control of the subnet.

> > Any one got any ideas?
>
> you could just try blackholing the IP at your firewall, or as i've
> already mentioned - try and contact your ISP with all you know and see
> if htey can shed any light on it - its possible a comprimised box.

It is firewalled, and blacklisted. Has been for months. I am just curious as 
to why it is coming back to me.

-- 
Mike

To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.

GnuGPG KeyID:=FC0D8D9A
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 161 UDP Constant Connections

[Hans-Werner Hilse]

Hi,

On Fri, 8 Jul 2005 15:46:42 +0100
Michael Thompson <mike@thompsonmike.co.uk> wrote:

> > > Any one got any ideas?
> >
> > you could just try blackholing the IP at your firewall, or as i've
> > already mentioned - try and contact your ISP with all you know and see
> > if htey can shed any light on it - its possible a comprimised box.
> 
> It is firewalled, and blacklisted. Has been for months. I am just curious as 
> to why it is coming back to me.

Well, two possibilities.
1.) the packets are already mirrored at your own box
2.) the packets are mirrored at the target box

I guess it's #2, you can find out by tcptracing the wire.

If I were to reproduce this behaviour of the remote box I'd set up an
iptables rule with the "MIRROR" target. See "man iptables" for an
explanation.

This may be some scary tactics to irritate the support persons in
charge of managing the network - and has, according to you notes,
proven to work for that :-)

My interpretion is:
hacked box, shell services running on UDP 161, mirroring everything
else to scare people :-) I think they've chosen SNMP port to hide their
traffic, maybe to get through some firewalls.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 161 UDP Constant Connections

[Michael Thompson]

On Friday 08 July 2005 16:11, Hans-Werner Hilse wrote:
> Well, two possibilities.
> 1.) the packets are already mirrored at your own box
> 2.) the packets are mirrored at the target box
>
> I guess it's #2, you can find out by tcptracing the wire.
>
> If I were to reproduce this behaviour of the remote box I'd set up an
> iptables rule with the "MIRROR" target. See "man iptables" for an
> explanation.

I am aware of the MIRROR Target, and I agree that this would be the way to do 
this.

>
> This may be some scary tactics to irritate the support persons in
> charge of managing the network - and has, according to you notes,
> proven to work for that :-)

Well it is certainly bugging me.

>
> My interpretion is:
> hacked box, shell services running on UDP 161, mirroring everything
> else to scare people :-) I think they've chosen SNMP port to hide their
> traffic, maybe to get through some firewalls.
>

Umm, quite possible. How about they have set their SNMP broadcast to a too 
wide range, which includes the whole subnet? 

> -hwh

Many thanks for your input, you have been helpful!

-- 
Mike

To see the world in a grain of sand,
and to see heaven in a wild flower,
hold infinity in the palm of your hands,
and eternity in an hour.

GnuGPG KeyID:=FC0D8D9A
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] 161 UDP Constant Connections

[Hans-Werner Hilse]

Hi,

On Fri, 8 Jul 2005 16:42:43 +0100
Michael Thompson <mike@thompsonmike.co.uk> wrote:

> Umm, quite possible. How about they have set their SNMP broadcast to a too 
> wide range, which includes the whole subnet? 

Yes, of course, I've mixed up two items you told, my fault. They're
sending SNMP, and yes, a too big broadcast would explain this. I've
mixed this with the other thing, the telnet access. What's displayed
there looks like a OTP (one time password) login to me :-) I've no clue
whoever CMN might be...

-hwh
-- 
gentoo-user@gentoo.org mailing list