Security Incidents mailing list archives

RE: DSL Modem or Router Cracked?

From: "NESTING, DAVID M (SBCSI)" <dn3723 () sbc com>
Date: Thu, 13 Jun 2002 10:52:36 -0500

What about this traffic alarms you specifically?

The 192.168.1.1:5390 -> 192.168.1.255:162 is SNMP, maybe an SNMP trap being
sent to your network's broadcast address (someone else can probably comment
more specifically).  Check the configuration of the 192.168.1.1 device and
turn SNMP off if you're not using it.

The 192.168.1.1:1901 -> 239.255.255.250:1900 is "Universal Plug-and-Play"
traffic.  The latter address is a multicast address reserved for this
purpose.  It should remain local to your own network (i.e. not routed
through your Internet link).

205.152.37.254:53 is DNS for ns.asm.bellsouth.net (your ISP?).
129.6.15.29:123 is NTP at time-b.nist.gov, probably a time synchronization
tool running on 192.168.1.2.

None of this looks alarming to me, at first glance.  What about it worries
you?

Though to be fair, there have been some vulnerabilities in the last few
months related to SNMP and UPnP, so that traffic alone might be reason to
take a closer look at your network, but I see no evidence of a compromise
just yet.

David

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DSL Modem or Router Cracked? Klepinger, Aaron (Jun 12)
- <Possible follow-ups>
- Re: DSL Modem or Router Cracked? Ian Reynolds (Jun 13)
- RE: DSL Modem or Router Cracked? NESTING, DAVID M (SBCSI) (Jun 13)
- RE: DSL Modem or Router Cracked? Klepinger, Aaron (Jun 13)
  - RE: DSL Modem or Router Cracked? Ryan Russell (Jun 13)
- RE: DSL Modem or Router Cracked? Robert Starliper (Jun 13)
- Re: DSL Modem or Router Cracked? HggdH (Jun 13)