Investigating Hacker, Worm, or Backdoor
From: dougga (dontsendhere_at_spam.org)
Date: 11/08/04
- Next message: xpyttl: "Re: Folder protection"
- Previous message: Walter Roberson: "Re: * VPN and NAT Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 08 Nov 2004 11:54:27 -0800
I've been investigating a strange lease on one of my DHCP servers thatshould
not be there for any legitimate reason.
The DHCP server is embedded within my firewall: Astaro Security Linux v5
which I've felt is a robust and secure system. I'm puzzled about what I'm
seeing here, though.
Here are the logs from the server:
2004:11:01-12:46:32 (none) dhcpd: DHCPDISCOVER from 4d:c8:43:bb:8b:a6 via
eth0
2004:11:01-12:46:33 (none) dhcpd: DHCPOFFER on 10.1.255.254 to
4d:c8:43:bb:8b:a6 (detective)
In my investigation I've run into several people throughout the world who
have seen this exact MAC address and many reports of this same host name,
"detective". I'm beginning to suspect a hacker, a backdoor on the
firewall, a worm of some kind, or a Microsoft security "feature". No way
to tell.
Here are links to some of the folks who have reported similar findings:
http://archives.neohapsis.com/archives/openbsd/2004-06/1581.html
http://www.ixus.net/resume_messages.php?topic=13792 [in French]
http://www.experts-exchange.com/Networking/Q_21070857.html
If you have access to your company's dhcp server, you might take a quick
look at the logs.
Here's my network setup:
Astaro Security Linux (Firewall) (3 interfaces: wireless, internal &
external)
SuSE Linux 9.1 Server
SuSE Linux 9.1 Workstation
Windows Server 2003 Test Server (now running "for small Business" package)
Windows XP/SuSE Linux 9.1 Workstation
Can anyone help shed some light on this?
Much thanks for any help
D
- Next message: xpyttl: "Re: Folder protection"
- Previous message: Walter Roberson: "Re: * VPN and NAT Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
