Web lists-archives.com

Re: Strange attacks in my log




	Hi.

On Thu, Feb 21, 2019 at 11:42:58AM +0100, Hans wrote:
> Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco:
> Hi Reco (and all others),
> 
> sure, I attached the wireshark pcap. Thre is nothing secret in it.

That's interesting. Aforementioned pcap does not contain udp:69, but it
does contain broadcast udp:161 (src: 192.168.2.117 dst:
255.255.255.255), requesting three OIDs via SNMP v2c:

$ snmptranslate -mALL .1.3.6.1.2.1.1.1.0
RFC1213-MIB::sysDescr.0
$ snmptranslate -mALL .1.3.6.1.2.1.1.2.0
RFC1213-MIB::sysObjectID.0
$ snmptranslate -mALL .1.3.6.1.2.1.2.2.1.6.1
RFC1213-MIB::ifPhysAddress.1


A hint. One should not (ab)use SNMP this way. Even if you're doing
device discovery - you're doing it wrong by sending SNMP to broadcast.
Explains why your other hosts see this though.


> However, I know, what the ports are for, but it is not understandable for me, 
> why there are networking protocols are started, when I just put a stick into 
> the required slot. And these devices are still not mounted! There is no sense 
> IMO, why the computer is scanning the network at all.

There can be an explanation, though, but Wireshark/tcpdump in not
suitable to get it.

Install auditd.
Invoke "auditctl -a always,exit -S connect".
Insert any usb stick
Invoke "auditctl -D" to clear the rules.

All the answers should wait one at /var/log/audit/audit.log

Reco