[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] can you answer this?
- To: "doomxd@xxxxxxxxx" <doomxd@xxxxxxxxx>
- Subject: Re: [Full-disclosure] can you answer this?
- From: doc mombasa <doc.mombasa@xxxxxxxxx>
- Date: Sat, 4 Feb 2012 09:29:52 +0100
aah doom has aspergers.. that explains a lot :)
Den 3. feb. 2012 22.10 skrev doomxd@xxxxxxxxx <doomxd@xxxxxxxxx>:
> Arserspeage.haha.
> Fku lamer.
>
> ----- Reply message -----
> From: "Zach C." <fxchip@xxxxxxxxx>
> To: <james@xxxxxxxxxxxxxxxxxxxx>
> Cc: "funsec" <funsec@xxxxxxxxxxxx>, "RandallM" <randallm@xxxxxxxxxxx>, <
> full-disclosure@xxxxxxxxxxxxxxxxx>, <
> full-disclosure-bounces@xxxxxxxxxxxxxxxxx>
> Subject: [Full-disclosure] can you answer this?
> Date: Fri, Feb 3, 2012 8:04 pm
>
>
> The original message reads thus:
>
> > i was working with cleaning up "any to any" on fw. ran across inside
> > ips doing netbios (NS) , and one using port 4330 to 7.8.0.106, or
> > .107.
> >
> > a who is give .miil DoD Network Information Center.
> >
> > ?
> >
> > we are just a manufacturing company. One ip is from a NAS device for
> > staorage. The other is DNS server
>
> I expect it's supposed to read like this:
>
> "I was working on cleaning up my 'any to any' rulesets on my firewall and
> I ran across internal IPs using the NetBIOS protocol, which is unexpected
> behavior. One of my internal hosts also appears to be attempting to connect
> to 7.8.0.106 or 7.8.0.107 on port 4330. A WHOIS lookup tells me that those
> IPs belong to the IP range owned by the U.S. Department of Defense.
>
> What is going on? We're just a manufacturing company. One of the IPs
> participating in this traffic is supposed to be network storage, while the
> other is supposed to just do DNS."
>
> And because no one answered him, he decided to try another line of inquiry:
>
> "My firewall logs have also picked up traffic from our internal trusted
> network to an external untrusted network with entries such as:
>
> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>
> It was denied. What is happening here?"
>
> I have no idea what's happening there; I'd suggest looking at the machines
> for strange activity, maybe doing some tcpdumps and seeing if you can trace
> back any of the packets you find to any of your machines. But I can't think
> of any reason your internal machines should be trying to connect to those
> hosts. (Especially considering those hosts may not exist!)
>
> On Fri, Feb 3, 2012 at 12:31 AM, <james@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> So what's the question?
>>
>> ------Original Message------
>> From: RandallM
>> Sender: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>> To: funsec
>> To: full-disclosure@xxxxxxxxxxxxxxxxx
>> Subject: [Full-disclosure] can you answer this?
>> Sent: 3 Feb 2012 08:20
>>
>> since no one could answer the last one how bout this. In my FW log
>> Trust (our 10.0.0.0. network) to untrust picked this up:
>>
>> 2012-02-02 10:08:10 7.254.254.254:68 7.254.254.255:67 0.0.0.0:0
>> 0.0.0.0:0 DHCP 0 sec. 0 0 Traffic Denied
>>
>> My "any" to "any" denied queue.
>>
>> --
>> been great, thanks
>> RandyM
>> a.k.a System
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> Sent from my BlackBerry® wireless device
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/