Re: can you answer this?

["doomxd () gmail com" <doomxd () gmail com>]

Arserspeage.haha.
Fku lamer.

----- Reply message -----
From: "Zach C." <fxchip () gmail com>
To: <james () zero-internet org uk>
Cc: "funsec" <funsec () linuxbox org>, "RandallM" <randallm () fidmail com>, <full-disclosure () lists grok org uk>, 
<full-disclosure-bounces () lists grok org uk>
Subject: [Full-disclosure] can you answer this?
Date: Fri, Feb 3, 2012 8:04 pm
The original message reads thus:

> i was working with cleaning up "any to any" on fw. ran across inside
> ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
> .107.

>

> a who is give .miil DoD Network Information Center.

>

> ?

>
 > we are just a manufacturing company. One ip is from a NAS device for

> staorage. The other is DNS server

I expect it's supposed to read like this:

"I was working on cleaning up my 'any to any' rulesets on my firewall and I ran across internal IPs using the NetBIOS 
protocol, which is unexpected behavior. One of my internal hosts also appears to be attempting to connect to 7.8.0.106 
or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those IPs belong to the IP range owned by the U.S. Department 
of Defense. 


What is going on? We're just a manufacturing company. One of the IPs participating in this traffic is supposed to be 
network storage, while the other is supposed to just do DNS." 

And because no one answered him, he decided to try another line of inquiry:


"My firewall logs have also picked up traffic from our internal trusted network to an external untrusted network with 
entries such as: 

2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0


0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied

It was denied. What is happening here?"

I have no idea what's happening there; I'd suggest looking at the machines for strange activity, maybe doing some 
tcpdumps and seeing if you can trace back any of the packets you find to any of your machines. But I can't think of any 
reason your internal machines should be trying to connect to those hosts. (Especially considering those hosts may not 
exist!) 


On Fri, Feb 3, 2012 at 12:31 AM,  <james () zero-internet org uk> wrote:

So what's the question?



------Original Message------

From: RandallM

Sender: full-disclosure-bounces () lists grok org uk

To: funsec

To: full-disclosure () lists grok org uk

Subject: [Full-disclosure] can you answer this?

Sent: 3 Feb 2012 08:20



since no one could answer the last one how bout this. In my FW log

Trust (our 10.0.0.0. network) to untrust picked this up:



2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0


0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied



My "any" to "any" denied queue.



--

been great, thanks

RandyM

a.k.a System



_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/





Sent from my BlackBerry® wireless device

_______________________________________________

Full-Disclosure - We believe in it.

Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/