[lug] port 220 progress

D. Stimits stimits at comcast.net
Wed Jan 21 19:00:11 MST 2004

I just thought people might be interested in some of my testing. I'm not 
done yet, but I have a lot more info.

As it turns out, I get the same supposedly outgoing packets even when 
the machine boots windows 2000, and not linux.

Last night the cable company randomly decided to do some maintenance, 
and cable was unavailable for about 4 hours past when they said it would 
be ready. After that, they had changed so many details (including 
subnets of dhcp servers) that it took half the day to get things back. 
During that time, I went ahead and opened up some rules and logged 
absolutely everything. Not a single attempt on that port at all. Traffic 
concerning 6129 and 220 disappeared on all machines.

Well, I got curious, because I now had to solve dhcp server changes, as 
well as changes in the dhcp ip of a couple (but not all) local machines. 
During this time I used tcpdump to look at broadcast traffic (dhcp 
initially uses broadcast). I ended up seeing my IP even when the machine 
was turned off and unplugged! I believe someone is spoofing cable 
addresses and attacking the hardware as other LUG users have mentioned, 
e.g., this was one article mentioned earlier:

In summary, at this point it is strongly suggesting Dameware Remote 
Admin is being attacked, and that address spoofing is involved, with 
some of the result being that my bridge is seeing things that it thinks 
are local. Sort of like when windows gets a virus, then spoofs someone 
else's email to send copies of itself out...then the real holder of the 
email address gets all the bounce messages.

I still plan to completely overhaul everything here, I really don't like 
all the problems I've had finding this. And someone out there is still 
spoofing me and I don't think I can do anything about it. I'm going to 
be reinstalling some machines in need of KRUD 9 anyway, maybe I'll test 
a Debian install on one as well. I'm thinking of also upgrading the 
bridge to use MAC addresses, and then in addition to MAC address 
filtering, having it *also* filter by IP.

D. Stimits, stimits AT comcast DOT net

PS: My 3rd video card works perfectly...it is so crystal clear compared 
to the failing video card, it is incredible. This is also a GeForce 
card, and plugged in as a direct replacement to the old GeForce card of 
earlier model...without changing a single config line it runs hardware 

More information about the LUG mailing list