[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAFMAuHonnWVgQ6Y+qeQ9xPS+SFJ1D=-f=3uLdqXw4y3jcpq6yg@mail.gmail.com>
Date: Sat, 4 Feb 2012 09:29:52 +0100
From: doc mombasa <doc.mombasa@...il.com>
To: "doomxd@...il.com" <doomxd@...il.com>
Cc: fxchip@...il.com, full-disclosure@...ts.grok.org.uk,
funsec <funsec@...uxbox.org>, RandallM <randallm@...mail.com>,
full-disclosure-bounces@...ts.grok.org.uk
Subject: Re: can you answer this?
aah doom has aspergers.. that explains a lot :)
Den 3. feb. 2012 22.10 skrev doomxd@...il.com <doomxd@...il.com>:
> Arserspeage.haha.
> Fku lamer.
>
> ----- Reply message -----
> From: "Zach C." <fxchip@...il.com>
> To: <james@...o-internet.org.uk>
> Cc: "funsec" <funsec@...uxbox.org>, "RandallM" <randallm@...mail.com>, <
> full-disclosure@...ts.grok.org.uk>, <
> full-disclosure-bounces@...ts.grok.org.uk>
> Subject: [Full-disclosure] can you answer this?
> Date: Fri, Feb 3, 2012 8:04 pm
>
>
> The original message reads thus:
>
> > i was working with cleaning up "any to any" on fw. ran across inside
> > ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
> > .107.
> >
> > a who is give .miil DoD Network Information Center.
> >
> > ?
> >
> > we are just a manufacturing company. One ip is from a NAS device for
> > staorage. The other is DNS server
>
> I expect it's supposed to read like this:
>
> "I was working on cleaning up my 'any to any' rulesets on my firewall and
> I ran across internal IPs using the NetBIOS protocol, which is unexpected
> behavior. One of my internal hosts also appears to be attempting to connect
> to 7.8.0.106 or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those
> IPs belong to the IP range owned by the U.S. Department of Defense.
>
> What is going on? We're just a manufacturing company. One of the IPs
> participating in this traffic is supposed to be network storage, while the
> other is supposed to just do DNS."
>
> And because no one answered him, he decided to try another line of inquiry:
>
> "My firewall logs have also picked up traffic from our internal trusted
> network to an external untrusted network with entries such as:
>
> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>
> It was denied. What is happening here?"
>
> I have no idea what's happening there; I'd suggest looking at the machines
> for strange activity, maybe doing some tcpdumps and seeing if you can trace
> back any of the packets you find to any of your machines. But I can't think
> of any reason your internal machines should be trying to connect to those
> hosts. (Especially considering those hosts may not exist!)
>
> On Fri, Feb 3, 2012 at 12:31 AM, <james@...o-internet.org.uk> wrote:
>
>> So what's the question?
>>
>> ------Original Message------
>> From: RandallM
>> Sender: full-disclosure-bounces@...ts.grok.org.uk
>> To: funsec
>> To: full-disclosure@...ts.grok.org.uk
>> Subject: [Full-disclosure] can you answer this?
>> Sent: 3 Feb 2012 08:20
>>
>> since no one could answer the last one how bout this. In my FW log
>> Trust (our 10.0.0.0. network) to untrust picked this up:
>>
>> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
>> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>>
>> My "any" to "any" denied queue.
>>
>> --
>> been great, thanks
>> RandyM
>> a.k.a System
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> Sent from my BlackBerry® wireless device
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists