Re: Strange attacks in my log
Hi.
On Thu, Feb 21, 2019 at 10:29:49AM +0100, Hans wrote:
> Hi folks,
>
> I discovered some strange log entries, which are created by "portsentry" (a tool for
> wathing port accesses).
>
> It looks like whenever I insert an USB-drive or a SD-Card, the own system wants to
> access on an UDP-Port (69 or 161).
udp:69 is TFTP.
udp:161 is SNMP.
I can understand udp:161. One of the functions of snmpd is filesystem
monitoring, and you have this scanbd thing that implies SANE that
implies snmpd.
But establishing TFTP session 'just because' is weird.
> It tries also to access all other computers in the network.
Broadcast, unicast, or ...?
> This looks strange for me, because I can not reproduce, why inserting a memeory
> device, network activies are started.
>
> With wireshark I could see, this is "BJNP" (whatever this means)
Curious. Can you share a this network dump in pcap format?
As in,
tcpdump -s0 -w /tmp/69_161.pcap -ni any udp port 69 or udp port 161
> Same happens, when pulling the USB-stick or the sd-card out.
>
> This is, what is in the log:
>
> ---------------- snip ----------
>
> Feb 21 10:14:39 localhost udisksd[13607]: g_object_unref: assertion'G_IS_OBJECT
> (object)' failed Feb 21 10:14:44 localhost scanbd: /usr/sbin/scanbd: no devices, not
> starting any polling thread
Useless
> Feb 21 10:14:47 localhost portsentry[6172]: attackalert:
> Connect from host: 192.168.2.117/192.168.2.117 to UDP port: 161
So it's a local SNMP connection, if I get it right?
Reco
Reply to: