Ubuntu Security :: NMap Lists Unknown Local IP Address
Jul 18, 2010
I wouldn't call myself paranoid, but I do try to keep reasonably secure on my home network (WPA encryption, router firewall, etc.). I also occasionally use nmap to make sure I don't see any unknown computers logged into my network. The problem is I have five computers that all use DHCP on the network and they are not all up all of the time. At most, there are two to three online at any one time.
So, my question is: Do any of the IP addresses remain in the router's database for a computer that has gone offline (shutdown)?
The reason for my question is that today I ran nmap on my home network and noted an IP address that was not currently up on the network. It is, however, an address that is frequently assigned to one of the computers when it is online, but that address was not up at the time I ran nmap. Just trying to make sure my network is not being used by some nearby computer.
This is a transcript I get emailed at least once every day, usually about 3 to 10 a day recently.
Transcript of session follows. SMTP server: errors from unknown[ip address] <boring stuff snipped> In: RCPT TO: <server@my domain> Out: 550 5.1.1 <server@my domain>: Recipient address rejected: User unknown in local recipient table
Session aborted, reason: lost connection Now I cannot seem to find anything via Google, as when I put "server@" anywhere in the string, I just get web hosting or other kroomst. The emails usually come from legit places, usually hotels. Does this mean they are sending bad emails, i.e. they have a Trojan/worm, or is this a live hack attempt?. I believe the later, as I might get upto 3 domains from the one ip address, which is always, NOT associated with the listed domain. Not causing me any issues, except I have been getting a lot recently.
A scan on my computer reported as up many local ips which simply does not exist in my network. This host is supposed to have ip 192.168.0.4, but all other ip should not be there. I have a USB modem connected to a Linux box, connected itselfs to a wifi linksys router and thats it.
# nmap -sP '192.168.*.*' | grep -v down Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2010-11-18 21:46 CET Host 192.168.0.4 appears to be up. Host 192.168.7.27 appears to be up. Host 192.168.10.0 appears to be up.
I have a bunch of windows machines connected to a server running samba. I would like to know if there's a way or hopefully a quick command I could type in the terminal that would tell me the machine name and the associated IP address?
If you have been trying to compile & install the new NMAP 5.20 scanning utility as a 64 bit user, you may have run into some issues as I did...The compiler will halt when you attempt to 'make', saying that you need to recompile using -fPIC.The fix: "./configure CXXFLAGS=-fPIC CFLAGS=-fPIC LPFLAGS=-fPIC"then rerun "make".I hope this helps someone, as it took me way longer than it should have to get this going. Enjoy the new versions as it is supposed to have 10,000 updated OS detection signatures and new scripts!
Are there any possible options to archive this w/ the 2.6.34 kernel? I know windows can do this w/ a button and BSD can drop packets when connected to closed ports...is IP personality usable in 2.6? Do I need work-arounds? any more options??Currently I've managed to @%#$ my OS fingerprints so results won't show as Linux.4/2.6...etc, but the problem is.. instead it's got the word "Redhat" in it (which is well... worse... because now.. if someone looks at my machine he/she'll know I am on either RHEL/Fedora )
I am trying to understand why when running nmap against a SonicWALL firewall at a remote location, the SonicWall firewall is saying that most of its 65535 ports are open? I know this cant be correct and remember reading about how some of these network appliances are setup this way to thwart off attacks.
today is my second week using ubuntu , my question is how can i insert malware block list on ubuntu? as my regular win user i always put the list in dirrectory x: winblows system32 drivers etc hosts[URL]
Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking.
I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in [URL] Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However .... To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
[code]....
/proc/uid/maps gives me some information but not the base address ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address. Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.
Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.
this issue which has suddenly occurred on both my Desktop and my Laptop. When I try to configure an IP address to any interface I get the following error....
I get this for ethernet interfaces as well. I do not understand what is different as I was able to configure the ip address only the day before yesterday on the laptop..? The Desktop has had this issue for about 3 weeks now.
On Karmic, every once in a while this error pops up near the notification area at the top right (also see attachment):
Timezone Errors See Error Console: Unknown timezones are treated as the 'floating' local timezone.
But the 'date' command shows the correct date/time and timezone. /etc/timezone is also set correctly. The machine is running ntpd and is connected to the net 24/7 via ethernet. I also don't see any 'timezone' errors in /var/log/* Which software is complaining? What is the "Error Console" it is referring to?
I am running RedHat 9.0 on a VMware on Window XP, I have bridged the network card eth0 such that I can ping the host machine 192.168.45.67 and the Windows XP machines on my LAN.
I managed to set up the samba server on this Redhat 9.0, And I can see the netbios name on my WindowXP: Rhl machines. Now I want to reach the Windows machines vi sambaclient but I get an Ip address that is not on my network -192.168.24.1.I did not set this IP address.
This is the message I get when I run smbclient so that I can reach windows machine when I am on Redhat:
# smbclient //machine name/name of user on windows machine added interface ip=192.168.45.90 bcast=192.168.45.255 nmask=255.255.255.0 Got a positive name query response from 192.168.45.21 (192.168.24.1 192.168.249.1 192.168.45.21 error connecting to 192.168.24.1:139 (Network unreachable) Error connecting to 192.168.24.1 (Network is unreachable) Connection to machine name failed #
My question is Where does 192.168.24.1 IP address come from. Where must I look in order to remove it ( in Linux or Windowx Xp.
I'm having an issue configuring eth0. I'm using ubuntu 8.10 in a virtual machine (VirtualBox). The correct adapter is being used and it has worked in the past. I've tried placing eth0 in dhcp through the GUI and bash, but always get a 169 address or 127.
Running Ubuntu 9.10. In the Remote Desktop config dialog I get: "Your desktop is only reachable over the local network. Others can access your computer using the address 127.0.0.1 or tabatha.local." I understand this means only the loopback ip address is available. All my other machines show their true local ip address (e.g., 192.168.1.104) in this dialog. Thus I cannot log on to this desktop from other machines.
When I try to do a remote logon from another Ubuntu 9.10 box (or from an XP box using a VNC viewer), I get: "Connection to 192.168.1.102 has been closed." What steps are needed to make this machine show its actual ip address? All file sharing between the various machines is working properly and all windows shares back and forth between XP and 'nix, and among the the vaious XP boxes and linux boxes are available as designed.
I have a Fedora box running a domain and a sub domain. It also is the mail server running Postfix and Dovecot. I have created a new user account in the Virtual Alias.conf file and run postfix reload.
"e.g [URL] admin_company"
This new account can send mail internally and externally but cannot receive mail internally and externally. The error message internally is: 5.1.1 <admin@threadneedle.com.pg>: Recipient address rejected: User unknown in virtual alias table
In my sources.list all I can see is online addresses but there is another directory in my pc which has all the sofwares but I don't know how to add its address to sources.list. I need to know the format of how to add it.
I recently setup motion on one of my computers with a USB camera. On that computer if I type [URL] I can see my live video. If however I type [URL] on that computer or any other on my wireless network, I get a page cannot be displayed. I checked that UFW was disabled and I am able to ping the motion computer from any other computer on my network. Also I am not sure if it matters but I do have apache installed on my motion computer as well. why I cant view my live video from different computers I am using Ubuntu 10.4 on all computers
I tried to authenticate using ntlm proxy authentication service and my computer could not retrive the IP address. Currently I am using fedora cammbridge
I need to publish my local webserver from my lan to access outside using internet, I have public ips provided by ISP my local webserver address is 192.168.1.5 and I want to bind this local address to a public ip (Ex: 61.8.153.212) to use it out side my lan through squid.
I started up my computer and suddenly, I saw that there was a new user account. I didn't create it and no one else uses my computer (let alone has access to user account creations). It was called dtc. It didn't seem to have any privileges and the only file in its home folder was called Examples. Should I worry that I might have some kind of malware? I deleted the user and the folder (and it came back after a while). It's main group is dtcgrp. The User ID is 1004.
Is it possible to list/find/compare the program versions on a Centos system, against Redhat/Centos Errata/Security/Bug lists? Sort of looking for a way to make sure that all the packages on a system are ok, and not a security risk-- Without having to update every package. A pseudo code, in my mind is:
how I can define a local static IP address (so that I can run a web server off of the same IP, rather than letting my router DHCP it)?I've tried doing the YaST->Network Devices->Network Settings->Traditional Method with ifup->Set NIC to desired IP->Set Default Gateway to router address method, and afterwards I can't even get into my router anymore (not even responding to ping).
I couldn't find an answer to this question (not including vpn) on different threads so decided to eventually post it, though it's probably easy one. I would like to connect to some application on known IP and port in the internet from my LAN computer. However to do so (I have some application, not any administrative constraints or not being allowed to) I would like to use local addresses. So, let's say - I want to connect to the external host VV.XX.YY.ZZ, port AA using 192.168.EE.FF port BB. Baically so far I have limitation in my application (too many places for possible error, to correct it right now - will change it in future). Is it possible that after my application sends request to 192.168.1.EE port BB, my Linux transparently translates it to VV.XX.YY.ZZ:AA? I tried iptables tutorials and some forums, but nothing seems to be addressing this issue. I don't know if it's event possible with iptables but am pretty sure this should be possible.
