[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] IP spoof? Where do I go now?

Subject: Re: [cobalt-users] IP spoof? Where do I go now?
From: flash22@xxxxxxx
Date: Sun Mar 18 08:55:14 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sun, 18 Mar 2001, Dan wrote:

> For the past two weeks someone using IP Address 192.168.0.1 has been
> portscanning me on various ports.  I went to the Arin website and punched in

Let me guess, ports, 67,137,138,139,1080 ?

As arin says, these IP addresses are reserved for use in *internal* LAN's,
however, misconfigured (or non-existant) firewalls often 'leak' packets
with these IP
addresses in them, since these addresses don't belong to anyone, the
routers are often confused, and these packets will float about the net
looking for a home. I have seen them go a dozen hops before the core
routers figure out they do not in fact have the slightest clue where to
send them ;)

The most likely explanation is someone has a winders machine 
 near your machine (physically as in number of network hops) and
these things are leaking about, and for whatever reason the router has
decided your machine knows where to send them so it's sending them to you
;) (or you are probably getting the bounced part)

(Commonly referred to as the net's 'background radiation')

Note that they are UDP, so the 'from' IP address isn't very helpfull in
determinig where they really came from, the only way you are going to find
out for certain is to have yur upstream look at packets and trace them
back, tho it would probably be better if they just blocked them, as they
have no business going anywhere to start with....

> Now what do I do - the IP is being blocked by Portsentry & IPchains but I
> notice I got this from my logcheck just now:
> 
> Mar 18 14:29:27 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:67
> 255.255.255.255:68 L=328 S=0x00 I=21004 F=0x0000 T=128 (#1)
> 
> What does this mean? Also what can I do about 192.168.0.1 now? I put the
> same IP address in internic's WHOIS search and got the following:

Means you got a lost UDP (=17) packet claiming to be from IP address
192.168.0.1 on port 67 (bootp client)

255.255.255.255:68 means it's to a broadcast address, so it's probably on
the same ethernet segment you are...

I'm hoping you aren't gonna tell me you are connected via a cable modem ;)

note that responding to the bootp request would tell the other machine
there is a machine at your IP address, not much else is gonna happen...

last but not least, bootp requests are related to dhcp requests, so you
will get lots of similar junk from any lan using dhcp with a combined
bootp/dchp server that's not filtered properly

 > 
> Server Name: DEATH.FARAWAY.CX
>    IP Address: 192.168.0.1
> What am I to do with this information - does it help me at all?

Not unless you are on christmas island -/

The whois data gets silly things stuffed into it regularly by hacker
wannabies ;)

try 'whois microsoft.com' sometime ;)

gsh

References:
- [cobalt-users] IP spoof? Where do I go now?
  - From: Dan

Prev by Date: Re: [cobalt-users] Sendmail exploit for kernels up to 2.2.15
Next by Date: [cobalt-users] Qmail and/or djbDNS
Previous by thread: Re: [cobalt-users] IP spoof? Where do I go now?
Next by thread: Re: [cobalt-users] IP spoof? Where do I go now?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index