Web lists-archives.com

Re: Strange attacks in my log


On Thu, Feb 21, 2019 at 10:29:49AM +0100, Hans wrote:
> Hi folks,
> I discovered some strange log entries, which are created by "portsentry" (a tool for 
> wathing port accesses).
> It looks like whenever I insert an USB-drive or a SD-Card, the own system wants to 
> access on an UDP-Port (69 or 161).
udp:69 is TFTP.
udp:161 is SNMP.

I can understand udp:161. One of the functions of snmpd is filesystem
monitoring, and you have this scanbd thing that implies SANE that
implies snmpd.
But establishing TFTP session 'just because' is weird.

> It tries also to access all other computers in the network. 

Broadcast, unicast, or ...?

> This looks strange for me, because I can not reproduce, why inserting a memeory 
> device, network activies are started. 
> With wireshark I could see, this is "BJNP" (whatever this means)

Curious. Can you share a this network dump in pcap format?
As in,

tcpdump -s0 -w /tmp/69_161.pcap -ni any udp port 69 or udp port 161

> Same happens, when pulling the USB-stick or the sd-card out.
> This is, what is in the log:
> ---------------- snip ----------
> Feb 21 10:14:39 localhost udisksd[13607]: g_object_unref: assertion'G_IS_OBJECT 
> (object)' failed Feb 21 10:14:44 localhost scanbd: /usr/sbin/scanbd: no devices, not 
> starting any polling thread


> Feb 21 10:14:47 localhost portsentry[6172]: attackalert: 
> Connect from host: to UDP port: 161

So it's a local SNMP connection, if I get it right?