Re: Strange attacks in my log
On Thu, Feb 21, 2019 at 11:42:58AM +0100, Hans wrote:
> Am Donnerstag, 21. Februar 2019, 11:19:08 CET schrieb Reco:
> Hi Reco (and all others),
> sure, I attached the wireshark pcap. Thre is nothing secret in it.
That's interesting. Aforementioned pcap does not contain udp:69, but it
does contain broadcast udp:161 (src: 192.168.2.117 dst:
255.255.255.255), requesting three OIDs via SNMP v2c:
$ snmptranslate -mALL .18.104.22.168.22.214.171.124.0
$ snmptranslate -mALL .126.96.36.199.188.8.131.52.0
$ snmptranslate -mALL .184.108.40.206.220.127.116.11.1.6.1
A hint. One should not (ab)use SNMP this way. Even if you're doing
device discovery - you're doing it wrong by sending SNMP to broadcast.
Explains why your other hosts see this though.
> However, I know, what the ports are for, but it is not understandable for me,
> why there are networking protocols are started, when I just put a stick into
> the required slot. And these devices are still not mounted! There is no sense
> IMO, why the computer is scanning the network at all.
There can be an explanation, though, but Wireshark/tcpdump in not
suitable to get it.
Invoke "auditctl -a always,exit -S connect".
Insert any usb stick
Invoke "auditctl -D" to clear the rules.
All the answers should wait one at /var/log/audit/audit.log