Re: Strange Happenings @Home

[chris.wilson () ESECURITYINC COM (Chris Wilson)]

Hi Fred,

The bootp stuff is typically other @Home users getting their IP addresses
via DHCP.  Your firewall blocks and logs because the DHCP requests are sent
to the subnet's broadcast address, forcing your firewall to process them.

The high-numbered port hits could be scans for backdoor trojans; sometimes
doing a web search for the port number reveals a lesser-known backdoor
program.

For the 192.168.x.x addresses, try doing a traceroute to them to see if it's
just an internal subnet in the @Home intranet (likely, assuming you can get
a route to them).

I see a lot of all of the above in my Linux firewall logs on my Roadrunner
cable modem account at home, except the nonroutable addresses are typically
10.0.x.x (and appear to be internal Roadrunner network devices).

Just my $.02....

-Chris

Christopher Wilson
e-Security, Inc.
700 S. Babcock St., Suite 200
Melbourne, FL  32901
Email:  chris.wilson () esecurityinc com
Web:            http://www.esecurityinc.com/
PGP Fingerprint:  3D85 E2DF 369F E7AA 0859  737E 2E4F 768A D600 9B25

-----Original Message-----
From: Fred Hirsch [mailto:fhirsch () TSE COM]
Sent: Tuesday, May 30, 2000 10:29 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: [INCIDENTS] Strange Happenings @Home

[snip]

> From what I can tell, many of these denied packets are on ports 67 and 68,
which
according to my /etc/services is bootp. Is there a reason why someone would
run
a bootp server on an @Home network? Additionally, I receive a number of
high
level port hits from many anonymous IP's. Do game servers such as Quake
browse
around through subnets looking for replies? Because this seems to be the
activity
I am seeing. I do not see any typical ports for BO or other Windows based
subversions.
Many of the IP's floating in my logs are not in the @Home subnet which I
belong to.
I also see alot of local network IP's like 192.168.x.x trying to hit the
firewall as well.

[snip]