Security :: Trace Route From Home Showing Suspicious Hop Just Outside LAN?
Mar 15, 2011
I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
View 5 Replies
ADVERTISEMENT
Dec 4, 2009
I've got a few systems which forward ports to one another all over the place, and somewhere along the line a port forward fails. I want to trace the route of a connection on a specific port to see where the connection hits a wall, to see what system is causing the problem. I've tried `tracetoure -T -p <port>` but it doesn't output anything about the ports it hits, stops when it hits the address I supplied even though it is forwarded elsewhere, and there doesn't seem to be a verbose mode. interstingly, if I specify a different source port via the '-s' option, the trace keeps hopping to * * * * and never get anywhere (at least to 27 hops then I CTRL+C)
View 6 Replies
View Related
Sep 19, 2010
I have be unable to access my bt homehub from another (external) ip address recently. I didtrace route to see what is happening to the connection and got the following.
It bounces around as it gets out my offices network and then seems to get to BT's servers and then I get stars. what that means?
1 - 8 bouncing round office network:
9 linx3.ukcore.bt.net (195.66.224.11) 19.405 ms 19.424 ms 19.381 ms
10 core2-pos0-1-5-0.ilford.ukcore.bt.net (62.6.201.121) 20.774 ms 21.099 ms 19.986 ms
[Code].....
View 4 Replies
View Related
Mar 18, 2010
What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
View 3 Replies
View Related
Aug 10, 2010
I got this warning in the log of rkhunter:Quote:
Checking /dev for suspicious file types [ Warning ]
[13:37:16] Warning: Suspicious file types found in /dev:
[13:37:16] /dev/shm/pulse-shm-43136623: data
[code]....
View 2 Replies
View Related
Apr 1, 2010
I have been running rkhunter but how do i view the /var/log/rkhunter.log? I have tried using: sudo /var/log/rkhunter.log but all i got was "Command not found?
View 6 Replies
View Related
Dec 8, 2010
I come to Ubuntu with the notion that it is much more secure than Windows. In XP I had an anti-virus, third-party firewall and sundry softwares against spybots, rootkits etc. The anitivirus blocked the suspicious web pages while browsing. I generally avoided public networks, carrying a portable internet device Do I need similar stuff with Ubuntu.
View 9 Replies
View Related
Aug 1, 2010
I ran a chkrootkit scan and found this: The following suspicious files and directories were found: /usr/lib/pymodules/python2.6/.path /usr/lib/xulrunner-1.9.2.8/.autoreg /usr/lib/firefox 3.6.8/.autoreg /usr/lib/jvm/.java-6-openjdk.jinfo
How do I get rid of this suspicious file?
View 4 Replies
View Related
Apr 12, 2011
I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?
Here's an example of the request: Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"
I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.
View 2 Replies
View Related
Jan 3, 2011
My server is probaly hacked and sending spam emails. I see them randomly in maillog (/usr/local/psa/var/log/maillog, server has a plesk panel), sometimes a few in a long time, sometimes a lot of them.Here is a sample of it:
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: Handlers Filter before-remote for qmail started ...
Jan 4 00:47:08 acv360 qmail-remote-handlers[17662]: from=root@acv360.com
[code].....
View 7 Replies
View Related
Dec 2, 2010
I manage a dedicated webserver running OpenSuse 11 which is currently hosting about 30 sites. I have never had any big problems until these last 2-3 months. One site after the other was being hacked and the unwanted visitor installed all kind of php shell scripts followed by torrent servers, ... etc. All hacked sites were sites using Joomla, so what I did was to close down those sites one by one. Well, I guess we all know Joomla is not a great solution if you just install it out of the box like those users were doing.
When trying to trace the intruder only some african junk IPs and IPs from a company selling VPN connections thru paypal show up (yeah great, love those guys ... do they really think that serious VPN users will pay with paypal) I checked all apache and FTP logs (yes, he even managed to get some FTP login) but only those damn 'proxy' IPs come up. The weird thing is that the guy seems to know how the server was 'build' since he manages to copy stuff from one site to the other. That is why I am suspecting someone who worked for a clients company, but I need proof. One way would be to let him hack a site and try to feed him something that would make him traceable, but what?
View 9 Replies
View Related
Jan 20, 2010
I am using pidgin for google chat. Is it possible to know the IP of the person i am chatting with?
View 4 Replies
View Related
Dec 30, 2008
I fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies
View Related
Sep 21, 2010
Is there anything suspicious about this auth.log? I find the many CRON outputs and the part with gconftool weird. Also, why don't I have the permission to view "/var/log/btmp1". It has never happened before.
I'm using GNOME's log viewer.
[Code]...
View 2 Replies
View Related
Oct 19, 2010
i am investigating on solutions to trace a file deletion on a computer( Linux O/S).i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified. In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
View 2 Replies
View Related
Jan 18, 2010
I am trying to route a security video server which is inside my network to the internet. my network is two interface eth0 (internet network xxx.xxx.xxx.198 and internal network 192.168.5.1
I am trying to see an web server on 192.168.5.184
View 2 Replies
View Related
May 8, 2011
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
View 4 Replies
View Related
Sep 19, 2010
I just upgraded my home machine to 11.2 and am running the regular Firefox 3.6.10 for openSUSE-11.2 (why can I still not cut and paste that infor from the dialog box, grr).
My home page is set to - file:///home/dhoworth/public_html/localstart.html
But when Firefox starts it shows instead a directory listing of - file:///home/dhoworth/
If I then press the home button, it shows my home page. If I start a new window from an existing one, it shows my home page.
why it isn't shown on startup?
View 2 Replies
View Related
Jun 15, 2010
I have read that to improve security in Ubuntu a good fix is to make the /home folder tree non-executable by default. This would mean that malware could not run in the /home tree without changing the setup.Is this a viable change, or is it just icing on the cake, any one any thoughts on this.
View 9 Replies
View Related
Jul 8, 2010
I have a Lucid Lynx server running with a 6 GB for /home and a data partition of 400 GB mounted inside home (/home/user/data). The data partition is shared through SAMBA for access by other windows machines on the network. However, the capacity of the samba share shows up only as 6 GB (or less) while the actual capacity is 400 GB. I am assuming that this because it is mounted within the home partition. I understand that 400 GB is still available even though the SAMBA drive shows only 6 GB (or less) capacity.
The problem is, I am trying to setup Windows 7 Backup and Restore on one of my laptop. The backup stops with an error that the network drive does not have enough disk space. I think that this is because the samba drive only shows up as 6 GB or less capacity even though it can store more.
How do I fix this problem? How can see the actual size of the SAMBA drive (in my case 400 GB) in stead of the remaining space in /home partition? I know I can reformat my drive and make my /home 400 GB. But I am not sure if this will fix the problem. However, I will prefer to this without formatting.
View 1 Replies
View Related
Mar 14, 2011
Today I uninstalled Zimbra desktop from my Ubuntu 10.04. After doing it, I am facing several problems due to changes in system configuration.
My Home Folder contents are shown on Desktop and if I delete them from Desktop, they are also deleted from the Home Folder. I don't understand why this is happening.
Also, from the side pane in Explorer, the option of Home Folder is not present any more. When ever I go to Home Folder, on the side pane is shows that I am on desktop and the location bar shows that I am in Home Folder.
View 9 Replies
View Related
Apr 29, 2009
I would like to add a static route, however I do not understand what is meant by the Address setting below
GATEWAY2=10.241.58.62
NETMASK2=255.255.255.224
ADDRESS2=10.241.57.32
Does this mean any addresses beginning with 10.241.57.32 are routed over the gateway 10.241.58.62 an address range
View 3 Replies
View Related
Jan 31, 2011
-I have fedora 13 installed in my laptop
-My home folder when opened show busy
-No contents are displayed
-Recently i have installed dropbox
View 2 Replies
View Related
Jan 9, 2010
My usually blank and happy background suddenly lists the things in my home directory. Well, it has icons for them.I have tried the gconf-editor, apps->nautilus->desktop drill, but the stuff is still there. Showed up suddenly about a day ago
View 9 Replies
View Related
Dec 17, 2010
Its showing like this type of log )t(t)e(e)x(x)(t)t(<Shift>)(<Shift>)^[[3;2~(KP.)^[[3;2~^[[3;(<Del>)(<Del>)(<Del>
View 2 Replies
View Related
Oct 21, 2010
I got this definition:"a process that replaces a series of related, specific routes in a route table with a more generic route." honestly I found it not so clear.. I want to know if this definition is correct and also more details about this subject..
View 1 Replies
View Related
Jan 25, 2011
Having trouble getting my Netgear WNA1000 working thru wireless router. Have tried lots of suggestions from other threads to no avail. Someone suggested that th routing table isn't set correctly, so have been trying to use the follwing to make the proper entry in the routing table: sudo route add -net 192.168.0.1 netmask 255.255.255.0 dev wlan0
Result: error message stating with:
"route: netmask does not match route address"
followed by "Usage" instructions which tell me to do what I just did. Any ideas on how I can populate my routing table with correct entry for my wireless card? Not to complicate matters, but I temporarily turned off encryption on my router to eliminate that as a possibility until I get connected. So maybe it'still trying to connect via encrypted mode - do I need to turn off encryption on my (client) end?
View 2 Replies
View Related
Sep 30, 2010
I'm running the firestarter firewall and its been showing the odd ssh attempt quite often. e.g. I've had 4 attempts today, 3 in the last 40mins. I realize that this may be nothing to serious but it's got me curious, aside from having a secure password (which I have) is there anything that else that I can do to ensure that my system is as secure as possible from ssh? I do use ssh within my home network so I don't want to disable it completely.
View 9 Replies
View Related
Apr 27, 2011
i just installed Firestarter firewall and it is showing me 12 serious inbounds after an hour.Is it a serious matter ? What should i do ?
View 3 Replies
View Related
Feb 26, 2010
I am running Firestarter on Ubuntu 9.10 64 bit. I have noticed several times that after closing all web apps (Firefox, Thunderbird) that some entries remain under the heading "Active connections" on the Firestarter "Status" tab. Often these show no source program. Currently I have 2 showing which show Firefox as the source. These persist after Firefox is shut down. I have verified that no Firfox process is running. And both of the IPs point to google.I have Disconnected eht0 and they still show. I have logged out and back in and they still show. I must reboot the machine to make these entries go away. Which makes me think perhaps this is a bug in Firestarter(?) Is there another way I can identify truly active connections?
View 2 Replies
View Related
