Re: what was this hacker tyring to do?
From: Berk S. Daemon (someone@somewhere.com)Date: 05/01/02
- Next message: Berk S. Daemon: "Re: What is the best FW for Win XP?"
- Previous message: Berk S. Daemon: "Re: what was this hacker tyring to do?"
- In reply to: J H: "Re: what was this hacker tyring to do?"
- Next in thread: J H: "Re: what was this hacker tyring to do?"
- Reply: J H: "Re: what was this hacker tyring to do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Berk S. Daemon" <someone@somewhere.com> Date: Wed, 01 May 2002 08:15:14 GMT
"J H" <h_jin3@hotmail.com> wrote in message
news:2096abd2.0204302156.6d8c0e9c@posting.google.com...
> h_jin3@hotmail.com (J H) wrote in message
news:<2096abd2.0204292019.7020114b@posting.google.com>...
> > I'm checking my router logs and I see some attempts to connect to my
> > public IP on port 137 - (I immediately go and add these suspicious IPs
> > to the completely blocked list on Sygate).
> >
> > On one of these attempts to connect on port 137 I see the destination
> > was 192.168.0.2 - hmmm. I imagine this guy was guessing that my
> > router's internal ip was 192.168.0.1 and that my server / pc was on
> > 192.168.0.2 eh? Is it possible to connect accross the NAT this way?
>
> <snip>
>
> Thanks for taking an interest. The destination IP of 192.168.0.2 on
> the router's external interface doesn't make sense. BTW the source IP
> is a valid Internet Public IP and is not local to my public subnet, I
> looked it up (arin whois). A packet with destination IP of
> 192.168.0.2 should just drop dead on the Internet, no? I mean what
> does a router do when it sees a packet that says it wants to goto
> 192.168.0.2? There shouldn't be a route for that. I know spoofing
> changes the source to 192.168.x.x but the destiatnion is still a valid
> public IP so I can understand that working.
>
> Hmmm.. I just thought of something. This is the only thing I could
> think of. The source address is spoofed to a nonlocal public ip, the
> actual hacker is on my local IP subnet and sets their default gateway
> to my public ip and sends out a packet with IP of 192.168.0.2
> (nonlocal to him) and it hits my router trying to get to destination
> of 192.168.0.2. They are hoping my router will reverse NAT the
> 192.168. address and route it to my internal network. Otherwise I
> can't see how a packet from the Internet came to me if it hit several
> internet routers along the way with that destination IP.
Many utils can do things like this, or crafty network programmers can easily
do something like this. Generally, from the external side rfc1918 net's
should be blocked, destined inbound from internet side.
- Next message: Berk S. Daemon: "Re: What is the best FW for Win XP?"
- Previous message: Berk S. Daemon: "Re: what was this hacker tyring to do?"
- In reply to: J H: "Re: what was this hacker tyring to do?"
- Next in thread: J H: "Re: what was this hacker tyring to do?"
- Reply: J H: "Re: what was this hacker tyring to do?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
