Web lists-archives.com

Re: Strange attacks in my log




Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco:
Hi Reco (and all others),

sure, I attached the wireshark pcap. Thre is nothing secret in it.

However, I know, what the ports are for, but it is not understandable for me, 
why there are networking protocols are started, when I just put a stick into 
the required slot. And these devices are still not mounted! There is no sense 
IMO, why the computer is scanning the network at all.

This is really weired. I wouldn't have noticed it, when I wouldn't have 
installed several alerting tools. 

Notice: You just put an usb-stick into the slot - and the system is starting 
network protocols and begin scanning the network. WTF???

My systems are all debian/testing (32-bit and 64-bit), all have the same 
configurations and package versions.

Hope this helps.

Best regards

Hans 



> 	Hi.
> 
> On Thu, Feb 21, 2019 at 10:29:49AM +0100, Hans wrote:
> > Hi folks,
> > 
> > I discovered some strange log entries, which are created by "portsentry"
> > (a tool for wathing port accesses).
> > 
> > It looks like whenever I insert an USB-drive or a SD-Card, the own system
> > wants to access on an UDP-Port (69 or 161).
> 
> udp:69 is TFTP.
> udp:161 is SNMP.
> 
> I can understand udp:161. One of the functions of snmpd is filesystem
> monitoring, and you have this scanbd thing that implies SANE that
> implies snmpd.
> But establishing TFTP session 'just because' is weird.
> 
> > It tries also to access all other computers in the network.
> 
> Broadcast, unicast, or ...?
> 
> > This looks strange for me, because I can not reproduce, why inserting a
> > memeory device, network activies are started.
> > 
> > With wireshark I could see, this is "BJNP" (whatever this means)
> 
> Curious. Can you share a this network dump in pcap format?
> As in,
> 
> tcpdump -s0 -w /tmp/69_161.pcap -ni any udp port 69 or udp port 161
> 
> > Same happens, when pulling the USB-stick or the sd-card out.
> > 
> > This is, what is in the log:
> > 
> > ---------------- snip ----------
> > 
> > Feb 21 10:14:39 localhost udisksd[13607]: g_object_unref:
> > assertion'G_IS_OBJECT (object)' failed Feb 21 10:14:44 localhost scanbd:
> > /usr/sbin/scanbd: no devices, not starting any polling thread
> 
> Useless
> 
> > Feb 21 10:14:47 localhost portsentry[6172]: attackalert:
> > Connect from host: 192.168.2.117/192.168.2.117 to UDP port: 161
> 
> So it's a local SNMP connection, if I get it right?
> 
> Reco

Attachment: wireshark_udp_192.168.2.117.pcap
Description: application/vnd.tcpdump.pcap

Attachment: signature.asc
Description: This is a digitally signed message part.