Re: Strange attacks in my log
On Thu, Feb 21, 2019 at 10:29:49AM +0100, Hans wrote:
> Hi folks,
> I discovered some strange log entries, which are created by "portsentry" (a tool for
> wathing port accesses).
> It looks like whenever I insert an USB-drive or a SD-Card, the own system wants to
> access on an UDP-Port (69 or 161).
udp:69 is TFTP.
udp:161 is SNMP.
I can understand udp:161. One of the functions of snmpd is filesystem
monitoring, and you have this scanbd thing that implies SANE that
But establishing TFTP session 'just because' is weird.
> It tries also to access all other computers in the network.
Broadcast, unicast, or ...?
> This looks strange for me, because I can not reproduce, why inserting a memeory
> device, network activies are started.
> With wireshark I could see, this is "BJNP" (whatever this means)
Curious. Can you share a this network dump in pcap format?
tcpdump -s0 -w /tmp/69_161.pcap -ni any udp port 69 or udp port 161
> Same happens, when pulling the USB-stick or the sd-card out.
> This is, what is in the log:
> ---------------- snip ----------
> Feb 21 10:14:39 localhost udisksd: g_object_unref: assertion'G_IS_OBJECT
> (object)' failed Feb 21 10:14:44 localhost scanbd: /usr/sbin/scanbd: no devices, not
> starting any polling thread
> Feb 21 10:14:47 localhost portsentry: attackalert:
> Connect from host: 192.168.2.117/192.168.2.117 to UDP port: 161
So it's a local SNMP connection, if I get it right?