[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Tracking down IP's



Lo, on Sunday, December 31, JD Kitch did write:

> Can anyone tell me what this person is looking for here, and how I
> can find out where this is coming from?
> 
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43)
> Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43)
> Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43)
> Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43)
> Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43)
> Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43)
> 
> I've been unable to track it down.  I've had pages and pages of this
> every hour since early yesterday, always coming from the same IP, to
> the same port.

Someone (xx.xx.xx.xx) is poking at your SNMP port.

Use /etc/protocols to map from PROTO=17 to udp, and then /etc/services to
map from 161/udp to SNMP.  (For those who don't know, SNMP (Simple Network
Management Protocol) is a protocol system originally intended for
monitoring and administering networked devices remotely.)

I'm having to guess, based on RFC 760, but I think the other fields are:

* L: packet length
* S: type of service -- see RFC 760
* I: identification #; aids in reassembling fragments
* F: fragment offset, possibly with the IP flags thrown in?
* T: time to live.
* and I don't know what (#43) represents.

(If someone knows better, I'd love to hear corrections.)  These are most
probably not relevant here.

Did you change your IP address in the above report?  IIRC, 172.16.*.* is
a block of private addresses.  Packets to this address should be dropped
automatically by an upstream router.  My guess, therefore, is that these
transmissions are coming from somewhere else in your network---probably a
misconfigured SNMP manager who thinks you're an agent.

If it's *not* somewhere else in your network, then to try to find out where
it's coming from, do an nslookup on the source IP (the address you've
blocked out) to get its domain, then try doing a whois lookup on that
domain to see who's responsible for it.  (And bug your sysadmins to drop
packets coming in from outside your network addressed to the private
address ranges.)

For example, try typing `whois gmx.net' to see the kind of information you
should be able to get.

HTH,

Richard



Reply to: