Web lists-archives.com

Re: Strange attacks in my log


On Thu, Feb 21, 2019 at 11:42:58AM +0100, Hans wrote:
> Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco:
> Hi Reco (and all others),
> sure, I attached the wireshark pcap. Thre is nothing secret in it.

That's interesting. Aforementioned pcap does not contain udp:69, but it
does contain broadcast udp:161 (src: dst:, requesting three OIDs via SNMP v2c:

$ snmptranslate -mALL .
$ snmptranslate -mALL .
$ snmptranslate -mALL .

A hint. One should not (ab)use SNMP this way. Even if you're doing
device discovery - you're doing it wrong by sending SNMP to broadcast.
Explains why your other hosts see this though.

> However, I know, what the ports are for, but it is not understandable for me, 
> why there are networking protocols are started, when I just put a stick into 
> the required slot. And these devices are still not mounted! There is no sense 
> IMO, why the computer is scanning the network at all.

There can be an explanation, though, but Wireshark/tcpdump in not
suitable to get it.

Install auditd.
Invoke "auditctl -a always,exit -S connect".
Insert any usb stick
Invoke "auditctl -D" to clear the rules.

All the answers should wait one at /var/log/audit/audit.log