Security Incidents mailing list archives
Re: Strange Happenings @Home
From: chris.wilson () ESECURITYINC COM (Chris Wilson)
Date: Thu, 1 Jun 2000 17:56:24 -0400
Hi Fred, The bootp stuff is typically other @Home users getting their IP addresses via DHCP. Your firewall blocks and logs because the DHCP requests are sent to the subnet's broadcast address, forcing your firewall to process them. The high-numbered port hits could be scans for backdoor trojans; sometimes doing a web search for the port number reveals a lesser-known backdoor program. For the 192.168.x.x addresses, try doing a traceroute to them to see if it's just an internal subnet in the @Home intranet (likely, assuming you can get a route to them). I see a lot of all of the above in my Linux firewall logs on my Roadrunner cable modem account at home, except the nonroutable addresses are typically 10.0.x.x (and appear to be internal Roadrunner network devices). Just my $.02.... -Chris Christopher Wilson e-Security, Inc. 700 S. Babcock St., Suite 200 Melbourne, FL 32901 Email: chris.wilson () esecurityinc com Web: http://www.esecurityinc.com/ PGP Fingerprint: 3D85 E2DF 369F E7AA 0859 737E 2E4F 768A D600 9B25 -----Original Message----- From: Fred Hirsch [mailto:fhirsch () TSE COM] Sent: Tuesday, May 30, 2000 10:29 AM To: INCIDENTS () SECURITYFOCUS COM Subject: [INCIDENTS] Strange Happenings @Home [snip]
From what I can tell, many of these denied packets are on ports 67 and 68,
which according to my /etc/services is bootp. Is there a reason why someone would run a bootp server on an @Home network? Additionally, I receive a number of high level port hits from many anonymous IP's. Do game servers such as Quake browse around through subnets looking for replies? Because this seems to be the activity I am seeing. I do not see any typical ports for BO or other Windows based subversions. Many of the IP's floating in my logs are not in the @Home subnet which I belong to. I also see alot of local network IP's like 192.168.x.x trying to hit the firewall as well. [snip]
Current thread:
- Re: Strange Happenings @Home Mark Tinberg (Jun 01)
- <Possible follow-ups>
- Re: Strange Happenings @Home Chris Wilson (Jun 01)
- Re: Strange Happenings @Home Greg A. Woods (Jun 01)