Re: Strange attacks in my log
Hi.
On Thu, Feb 21, 2019 at 11:42:58AM +0100, Hans wrote:
> Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco:
> Hi Reco (and all others),
>
> sure, I attached the wireshark pcap. Thre is nothing secret in it.
That's interesting. Aforementioned pcap does not contain udp:69, but it
does contain broadcast udp:161 (src: 192.168.2.117 dst:
255.255.255.255), requesting three OIDs via SNMP v2c:
$ snmptranslate -mALL .1.3.6.1.2.1.1.1.0
RFC1213-MIB::sysDescr.0
$ snmptranslate -mALL .1.3.6.1.2.1.1.2.0
RFC1213-MIB::sysObjectID.0
$ snmptranslate -mALL .1.3.6.1.2.1.2.2.1.6.1
RFC1213-MIB::ifPhysAddress.1
A hint. One should not (ab)use SNMP this way. Even if you're doing
device discovery - you're doing it wrong by sending SNMP to broadcast.
Explains why your other hosts see this though.
> However, I know, what the ports are for, but it is not understandable for me,
> why there are networking protocols are started, when I just put a stick into
> the required slot. And these devices are still not mounted! There is no sense
> IMO, why the computer is scanning the network at all.
There can be an explanation, though, but Wireshark/tcpdump in not
suitable to get it.
Install auditd.
Invoke "auditctl -a always,exit -S connect".
Insert any usb stick
Invoke "auditctl -D" to clear the rules.
All the answers should wait one at /var/log/audit/audit.log
Reco
Reply to: