From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.43)
	id 1Dque0-0004MB-H6
	for garchives@archives.gentoo.org; Fri, 08 Jul 2005 15:20:00 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j68FI59R030092;
	Fri, 8 Jul 2005 15:18:05 GMT
Received: from s2.stud.uni-goettingen.de (s2.stud.uni-goettingen.de [134.76.60.22])
	by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j68FDcpJ002201
	for <gentoo-user@lists.gentoo.org>; Fri, 8 Jul 2005 15:13:38 GMT
Received: from vpn-3107.gwdg.de ([134.76.3.107] helo=butch.nik13.home)
	by s2.stud.uni-goettingen.de with asmtp (TLSv1:AES256-SHA:256)
	(Exim 4.22)
	id 1DquXz-0006TH-PY
	for gentoo-user@lists.gentoo.org; Fri, 08 Jul 2005 17:13:47 +0200
Date: Fri, 8 Jul 2005 17:11:15 +0200
From: Hans-Werner Hilse <hilse@web.de>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] 161 UDP Constant Connections
Message-Id: <20050708171115.2f92ce04.hilse@web.de>
In-Reply-To: <200507081546.44691.mike@thompsonmike.co.uk>
References: <200507081516.52836.mike@thompsonmike.co.uk>
	<42CE8E7B.3050606@igoe.me.uk>
	<200507081546.44691.mike@thompsonmike.co.uk>
X-Mailer: Sylpheed version 1.9.12 (GTK+ 2.6.8; i386-pc-dragonfly1)
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Archives-Salt: 08ed21f1-b744-4285-b33f-5c405f10703a
X-Archives-Hash: b476bfec90af58bbd35107fc31f4ed0f

Hi,

On Fri, 8 Jul 2005 15:46:42 +0100
Michael Thompson <mike@thompsonmike.co.uk> wrote:

> > > Any one got any ideas?
> >
> > you could just try blackholing the IP at your firewall, or as i've
> > already mentioned - try and contact your ISP with all you know and see
> > if htey can shed any light on it - its possible a comprimised box.
> 
> It is firewalled, and blacklisted. Has been for months. I am just curious as 
> to why it is coming back to me.

Well, two possibilities.
1.) the packets are already mirrored at your own box
2.) the packets are mirrored at the target box

I guess it's #2, you can find out by tcptracing the wire.

If I were to reproduce this behaviour of the remote box I'd set up an
iptables rule with the "MIRROR" target. See "man iptables" for an
explanation.

This may be some scary tactics to irritate the support persons in
charge of managing the network - and has, according to you notes,
proven to work for that :-)

My interpretion is:
hacked box, shell services running on UDP 161, mirroring everything
else to scare people :-) I think they've chosen SNMP port to hide their
traffic, maybe to get through some firewalls.

-hwh
-- 
gentoo-user@gentoo.org mailing list