[lug] port 220 progress
stimits at comcast.net
Wed Jan 21 19:00:11 MST 2004
I just thought people might be interested in some of my testing. I'm not
done yet, but I have a lot more info.
As it turns out, I get the same supposedly outgoing packets even when
the machine boots windows 2000, and not linux.
Last night the cable company randomly decided to do some maintenance,
and cable was unavailable for about 4 hours past when they said it would
be ready. After that, they had changed so many details (including
subnets of dhcp servers) that it took half the day to get things back.
During that time, I went ahead and opened up some rules and logged
absolutely everything. Not a single attempt on that port at all. Traffic
concerning 6129 and 220 disappeared on all machines.
Well, I got curious, because I now had to solve dhcp server changes, as
well as changes in the dhcp ip of a couple (but not all) local machines.
During this time I used tcpdump to look at broadcast traffic (dhcp
initially uses broadcast). I ended up seeing my IP even when the machine
was turned off and unplugged! I believe someone is spoofing cable
addresses and attacking the hardware as other LUG users have mentioned,
e.g., this was one article mentioned earlier:
In summary, at this point it is strongly suggesting Dameware Remote
Admin is being attacked, and that address spoofing is involved, with
some of the result being that my bridge is seeing things that it thinks
are local. Sort of like when windows gets a virus, then spoofs someone
else's email to send copies of itself out...then the real holder of the
email address gets all the bounce messages.
I still plan to completely overhaul everything here, I really don't like
all the problems I've had finding this. And someone out there is still
spoofing me and I don't think I can do anything about it. I'm going to
be reinstalling some machines in need of KRUD 9 anyway, maybe I'll test
a Debian install on one as well. I'm thinking of also upgrading the
bridge to use MAC addresses, and then in addition to MAC address
filtering, having it *also* filter by IP.
D. Stimits, stimits AT comcast DOT net
PS: My 3rd video card works perfectly...it is so crystal clear compared
to the failing video card, it is incredible. This is also a GeForce
card, and plugged in as a direct replacement to the old GeForce card of
earlier model...without changing a single config line it runs hardware
More information about the LUG