Hi, On Fri, 8 Jul 2005 15:46:42 +0100 Michael Thompson <[EMAIL PROTECTED]> wrote:
> > > Any one got any ideas? > > > > you could just try blackholing the IP at your firewall, or as i've > > already mentioned - try and contact your ISP with all you know and see > > if htey can shed any light on it - its possible a comprimised box. > > It is firewalled, and blacklisted. Has been for months. I am just curious as > to why it is coming back to me. Well, two possibilities. 1.) the packets are already mirrored at your own box 2.) the packets are mirrored at the target box I guess it's #2, you can find out by tcptracing the wire. If I were to reproduce this behaviour of the remote box I'd set up an iptables rule with the "MIRROR" target. See "man iptables" for an explanation. This may be some scary tactics to irritate the support persons in charge of managing the network - and has, according to you notes, proven to work for that :-) My interpretion is: hacked box, shell services running on UDP 161, mirroring everything else to scare people :-) I think they've chosen SNMP port to hide their traffic, maybe to get through some firewalls. -hwh -- gentoo-user@gentoo.org mailing list
