Re: A beginner Q: Tracking a hacker
From: Frank Thyes (frank.thyes@consol.de)Date: 03/07/02
- Next message: Alun Jones: "Re: FTP and chroot for ftp clients"
- Previous message: Yaacov Fried: "A beginner Q: Tracking a hacker"
- In reply to: Yaacov Fried: "A beginner Q: Tracking a hacker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Frank Thyes <frank.thyes@consol.de> Date: Thu, 07 Mar 2002 16:31:59 +0100
Yaacov Fried wrote:
>
> On my Unix Machine (Redhat 7.1), I have noticed (using tcpdump) that someone
> is trying to poke around with a source IP address 172.23.5.228.
What do you mean with poke arround? Where have you seen this
address?
> AFAIK, this address is not routable. Is it a spoofed source address ?
> So, how does he/she get the responses back ?
If it's really a spoofed address he get no response (blind
spoofing)
> Since our LAN has no connection to the outside world, It must be someone
> from inside the LAN, using tcpdump I know the MAC address associated with
> this IP.
Why should someone who is already in the internal network
spoof his own address? The only reason is, if you have a
internal firewall which cuts the user-net from the
accountancy-net or other importend internal networks
(development).
> Is it the MAC address of the nearest router ?
I think so
> Is there any tool that translte MAC to IP (I think 'arp' is useless in this
> case)
arp -a but if you like to translate all addresses do a ping
on the broadcast address first
>
> Thanks
>
> Jacob Fried
Cheers
Frank
- Next message: Alun Jones: "Re: FTP and chroot for ftp clients"
- Previous message: Yaacov Fried: "A beginner Q: Tracking a hacker"
- In reply to: Yaacov Fried: "A beginner Q: Tracking a hacker"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
