Re: can you answer this?

[doc mombasa <doc.mombasa () gmail com>]

aah doom has aspergers.. that explains a lot :)

Den 3. feb. 2012 22.10 skrev doomxd () gmail com <doomxd () gmail com>:

> Arserspeage.haha.
> Fku lamer.
>
> ----- Reply message -----
> From: "Zach C." <fxchip () gmail com>
> To: <james () zero-internet org uk>
> Cc: "funsec" <funsec () linuxbox org>, "RandallM" <randallm () fidmail com>, <
> full-disclosure () lists grok org uk>, <
> full-disclosure-bounces () lists grok org uk>
> Subject: [Full-disclosure] can you answer this?
> Date: Fri, Feb 3, 2012 8:04 pm
>
>
> The original message reads thus:
>
> > i was working with cleaning up "any to any" on fw. ran across inside
> > ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
> > .107.
> >
> > a who is give .miil DoD Network Information Center.
> >
> > ?
>  > we are just a manufacturing company. One ip is from a NAS device for
> > staorage. The other is DNS server
>
> I expect it's supposed to read like this:
>
> "I was working on cleaning up my 'any to any' rulesets on my firewall and
> I ran across internal IPs using the NetBIOS protocol, which is unexpected
> behavior. One of my internal hosts also appears to be attempting to connect
> to 7.8.0.106 or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those
> IPs belong to the IP range owned by the U.S. Department of Defense.
>
> What is going on? We're just a manufacturing company. One of the IPs
> participating in this traffic is supposed to be network storage, while the
> other is supposed to just do DNS."
>
> And because no one answered him, he decided to try another line of inquiry:
>
> "My firewall logs have also picked up traffic from our internal trusted
> network to an external untrusted network with entries such as:
>
> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>
> It was denied. What is happening here?"
>
> I have no idea what's happening there; I'd suggest looking at the machines
> for strange activity, maybe doing some tcpdumps and seeing if you can trace
> back any of the packets you find to any of your machines. But I can't think
> of any reason your internal machines should be trying to connect to those
> hosts. (Especially considering those hosts may not exist!)
>
> On Fri, Feb 3, 2012 at 12:31 AM, <james () zero-internet org uk> wrote:
>
> > So what's the question?
> >
> > ------Original Message------
> > From: RandallM
> > Sender: full-disclosure-bounces () lists grok org uk
> > To: funsec
> > To: full-disclosure () lists grok org uk
> > Subject: [Full-disclosure] can you answer this?
> > Sent: 3 Feb 2012 08:20
> >
> > since no one could answer the last one how bout this. In my FW log
> > Trust (our 10.0.0.0. network) to untrust picked this up:
> >
> > 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
> > 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
> >
> > My "any" to "any" denied queue.
> >
> > --
> > been great, thanks
> > RandyM
> > a.k.a System
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> > Sent from my BlackBerry® wireless device
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/