lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG5DJwf1FQrOsPioyGYmZpbhWxiWf+eZj5vj=p5mmJfRGt851g@mail.gmail.com>
Date: Fri, 3 Feb 2012 01:04:21 -0800
From: "Zach C." <fxchip@...il.com>
To: james@...o-internet.org.uk
Cc: funsec <funsec@...uxbox.org>, RandallM <randallm@...mail.com>,
	full-disclosure@...ts.grok.org.uk,
	full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: can you answer this?

The original message reads thus:

> i was working with cleaning up "any to any" on fw. ran across inside
> ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
> .107.
>
> a who is give .miil DoD Network Information Center.
>
> ?
>
 > we are just a manufacturing company. One ip is from a NAS device for
> staorage. The other is DNS server

I expect it's supposed to read like this:

"I was working on cleaning up my 'any to any' rulesets on my firewall and I
ran across internal IPs using the NetBIOS protocol, which is unexpected
behavior. One of my internal hosts also appears to be attempting to connect
to 7.8.0.106 or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those
IPs belong to the IP range owned by the U.S. Department of Defense.

What is going on? We're just a manufacturing company. One of the IPs
participating in this traffic is supposed to be network storage, while the
other is supposed to just do DNS."

And because no one answered him, he decided to try another line of inquiry:

"My firewall logs have also picked up traffic from our internal trusted
network to an external untrusted network with entries such as:

2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied

It was denied. What is happening here?"

I have no idea what's happening there; I'd suggest looking at the machines
for strange activity, maybe doing some tcpdumps and seeing if you can trace
back any of the packets you find to any of your machines. But I can't think
of any reason your internal machines should be trying to connect to those
hosts. (Especially considering those hosts may not exist!)

On Fri, Feb 3, 2012 at 12:31 AM, <james@...o-internet.org.uk> wrote:

> So what's the question?
>
> ------Original Message------
> From: RandallM
> Sender: full-disclosure-bounces@...ts.grok.org.uk
> To: funsec
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] can you answer this?
> Sent: 3 Feb 2012 08:20
>
> since no one could answer the last one how bout this. In my FW log
> Trust (our 10.0.0.0. network) to untrust picked this up:
>
> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>
> My "any" to "any" denied queue.
>
> --
> been great, thanks
> RandyM
> a.k.a System
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> Sent from my BlackBerry® wireless device
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ