|
From
|
marc0 <marc0@autistici.org>
|
|
Date
|
Fri, 07 Nov 2003 16:11:40 +0100
|
|
Subject
|
[hackmeeting] networking, (winmx, netbios, telnet) (LUNGA)
|
Non so' molto di networking, quindi se qualcuno mi puo' aiutare...
Mi arrivano un macello di paccetti, non e' normale per me, qualcuno mi
puo' illuminare a capire che succede?
piu' che altro alla porta udp 3017 (nel pacchetto c'e' la stringa winmx)
e pure qualche richiesta a netbios e vedo pure stringa telnet... boh.
ora, io sto' per inviare minacce di morte ai vari host, pero' aspetto
un po'...
DAL SYSLOG:
Nov 7 15:49:09 localhost pppd[1757]: local IP address 80.183.0.108
Nov 7 15:49:09 localhost pppd[1757]: remote IP address 192.168.100.1
Nov 7 15:49:09 localhost pppd[1757]: primary DNS address 62.211.69.150
Nov 7 15:49:09 localhost pppd[1757]: secondary DNS address 212.48.4.15
QUALCHE NOME:
marco@localhost:/tmp$ host 212.216.172.62
62.172.216.212.in-addr.arpa domain name pointer ns1.tin.it.
marco@localhost:/tmp$ host 80.183.0.108
108.0.183.80.in-addr.arpa domain name pointer host108-0.pool80183.interbusiness.it.
^^^^^^^^^^^^^^^^^
IO IO IO IO IO IO
marco@localhost:/tmp$ host 212.216.112.112
112.112.216.212.in-addr.arpa domain name pointer ns4.tin.it.
marco@localhost:/tmp$ host 80.183.99.252
252.99.183.80.in-addr.arpa domain name pointer host252-99.pool80183.interbusiness.it.
marco@localhost:/tmp$ host 192.168.100.1
Host 1.100.168.192.in-addr.arpa not found: 3(NXDOMAIN)
marco@localhost:/tmp$ host 224.0.0.13
13.0.0.224.in-addr.arpa domain name pointer PIM-ROUTERS.MCAST.NET.
marco@localhost:/tmp$
TCPDUMP
localhost:~# tcpdump -i ppp0
tcpdump: listening on ppp0
15:49:24.539251 212.216.172.62.domain > 80.183.0.108.3017: 429 1/3/0 A 64.246.1.37 (119) (DF)
15:49:24.539321 80.183.0.108 > 212.216.172.62: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:24.609254 212.216.112.112.domain > 80.183.0.108.3017: 429 1/3/1 A 64.246.1.37 (135)
15:49:24.609316 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:31.637982 80.183.99.252.1025 > 80.183.0.108.1346: R 0:0(0) ack 1251672065 win 0
15:49:32.557813 212.216.112.112.domain > 80.183.0.108.3017: 430 1/3/1 A 216.127.74.62 (135)
15:49:32.557878 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:35.926241 212.216.112.112.domain > 80.183.0.108.3017: 430 1/3/3 A 216.127.74.62 (167) (DF)
15:49:35.926312 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:36.467184 212.216.172.62.domain > 80.183.0.108.3017: 430 1/3/2 A 216.127.74.62 (151) (DF)
15:49:36.467248 80.183.0.108 > 212.216.172.62: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:36.677058 212.216.112.112.domain > 80.183.0.108.3017: 430 1/3/3 A 216.127.74.62 (167) (DF)
15:49:36.677123 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:37.289826 80.183.0.108.1057 > 62.211.69.150.domain: 8998+ PTR? 62.172.216.212.in-addr.arpa. (45) (DF)
15:49:37.336992 62.211.69.150.domain > 80.183.0.108.1057: 8998 1/3/2 PTR[|domain] (DF)
15:49:38.556722 212.216.112.112.domain > 80.183.0.108.3017: 430 1/3/3 A 216.127.74.62 (167) (DF)
15:49:38.556791 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:39.266570 192.168.100.1 > 224.0.0.13: pim v2 Hello (Hold-time 1m45s) (Genid: 0x00000446) (OLD-DR-Priority: 1) (State Refresh Capable ?0x1000000?) [tos 0xc0] [ttl 1]
15:49:40.436361 212.216.172.62.domain > 80.183.0.108.3017: 430 1/3/2 A 216.127.74.62 (151) (DF)
15:49:40.436431 80.183.0.108 > 212.216.172.62: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:49.414734 212.216.112.112.domain > 80.183.0.108.3017: 431 1/3/1 A 66.132.146.48 (135)
15:49:49.414801 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:50.584516 212.216.112.112.domain > 80.183.0.108.3017: 431 1/3/3 A 66.132.146.48 (167) (DF)
15:49:50.584583 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:52.334201 212.216.172.62.domain > 80.183.0.108.3017: 431 1/3/2 A 66.132.146.48 (151) (DF)
15:49:52.334270 80.183.0.108 > 212.216.172.62: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:52.844086 212.216.112.112.domain > 80.183.0.108.3017: 431 1/3/0 A 66.132.146.48 (119) (DF)
15:49:52.844154 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:54.723763 212.216.112.112.domain > 80.183.0.108.3017: 431 1/3/0 A 66.132.146.48 (119) (DF)
15:49:54.723833 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:56.323460 212.216.172.62.domain > 80.183.0.108.3017: 431 1/3/0 A 66.132.146.48 (119) (DF)
15:49:56.323526 80.183.0.108 > 212.216.172.62: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:58.573063 212.216.112.112.domain > 80.183.0.108.3017: 431 1/3/3 A 66.132.146.48 (167) (DF)
15:49:58.573130 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
15:49:58.593106 127.0.0.1.www > 80.183.0.108.1152: R 0:0(0) ack 72744961 win 0
35 packets received by filter
0 packets dropped by kernel
localhost:~#
localhost:~# tcpdump -X -i ppp0
tcpdump: listening on ppp0
15:50:29.317446 127.0.0.1.www > 80.183.0.108.1702: R 0:0(0) ack 1577648129 win 0
0x0000 4500 0028 82bb 0000 7806 eff0 7f00 0001 E..(....x.......
0x0010 50b7 006c 0050 06a6 0000 0000 5e09 0001 P..l.P......^...
0x0020 5014 0000 7aac 0000 P...z...
15:50:32.166949 212.216.112.112.domain > 80.183.0.108.3017: 433 1/3/3 A 64.246.15.43 (167) (DF)
0x0000 4500 00c3 724f 4000 f511 7c6e d4d8 7070 E...rO@...|n..pp
0x0010 50b7 006c 0035 0bc9 00af e131 01b1 8180 P..l.5.....1....
0x0020 0001 0001 0003 0003 0563 3333 3139 057a .........c3319.z
0x0030 3133 3033 0577 696e 6d78 0363 6f6d 0000 1303.winmx.com..
0x0040 0100 01c0 0c00 0100 0100 0024 4c00 0440 ...........$L..@
0x0050 f60f 2bc0 1800 0200 0100 002f 2400 1003 ..+......../$...
15:50:32.167017 80.183.0.108 > 212.216.112.112: icmp: 80.183.0.108 udp port 3017 unreachable [tos 0xc0]
0x0000 45c0 00df 4daf 0000 4001 9543 50b7 006c E...M...@..CP..l
0x0010 d4d8 7070 0303 9429 0000 0000 4500 00c3 ..pp...)....E...
0x0020 724f 4000 f511 7c6e d4d8 7070 50b7 006c rO@...|n..ppP..l
0x0030 0035 0bc9 00af e131 01b1 8180 0001 0001 .5.....1........
0x0040 0003 0003 0563 3333 3139 057a 3133 3033 .....c3319.z1303
0x0050 0577 696e 6d78 0363 6f6d 0000 0100 01c0 .winmx.com......
15:50:32.306922 80.183.51.190.2199 > 80.183.0.108.telnet: S 1553162236:1553162236(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 abb2 4000 7e06 7b7d 50b7 33be E..0..@.~.{}P.3.
0x0010 50b7 006c 0897 0017 5c93 5ffc 0000 0000 P..l....\._.....
0x0020 7002 4000 a849 0000 0204 05b4 0101 0402 p.@..I..........
15:50:32.307014 80.183.0.108.telnet > 80.183.51.190.2199: R 0:0(0) ack 1553162237 win 0 (DF)
0x0000 4500 0028 0000 4000 4006 6538 50b7 006c E..(..@.@.e8P..l
0x0010 50b7 33be 0017 0897 0000 0000 5c93 5ffd P.3.........\._.
0x0020 5014 0000 14fa 0000 P.......
15:50:32.816809 80.183.51.190.2199 > 80.183.0.108.telnet: S 1553162236:1553162236(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 abbd 4000 7e06 7b72 50b7 33be E..0..@.~.{rP.3.
0x0010 50b7 006c 0897 0017 5c93 5ffc 0000 0000 P..l....\._.....
0x0020 7002 4000 a849 0000 0204 05b4 0101 0402 p.@..I..........
15:50:32.816871 80.183.0.108.telnet > 80.183.51.190.2199: R 0:0(0) ack 1 win 0 (DF)
0x0000 4500 0028 0000 4000 4006 6538 50b7 006c E..(..@.@.e8P..l
0x0010 50b7 33be 0017 0897 0000 0000 5c93 5ffd P.3.........\._.
0x0020 5014 0000 14fa 0000 P.......
[...]
15:50:41.115300 127.0.0.1.www > 80.183.0.108.1391: R 0:0(0) ack 1 win 0
0x0000 4500 0028 5074 0000 7806 2238 7f00 0001 E..(Pt..x."8....
0x0010 50b7 006c 0050 056f 0000 0000 50e5 0001 P..l.P.o....P...
0x0020 5014 0000 8907 0000 P.......
[...]
15:51:00.210848 127.0.0.1.www > 80.183.0.108.1071: R 0:0(0) ack 1146683393 win 0
0x0000 4500 0028 548d 0000 7806 1e1f 7f00 0001 E..(T...x.......
0x0010 50b7 006c 0050 042f 0000 0000 4459 0001 P..l.P./....DY..
0x0020 5014 0000 96d3 0000 P.......
[...]
15:51:07.639510 148.221.244.25.1026 > 80.183.0.108.netbios-ns:
>>> NBT UDP PACKET(137): QUERY; REQUEST; BROADCAST
0x0000 4500 004e fd58 0000 6911 7a2c 94dd f419 E..N.X..i.z,....
0x0010 50b7 006c 0402 0089 003a e18b 0100 0010 P..l.....:......
0x0020 0001 0000 0000 0000 2043 4b41 4141 4141 .........CKAAAAA
0x0030 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040 4141 4141 4141 4141 4100 0021 0001 AAAAAAAAA..!..
15:51:07.639687 80.183.0.108 > 148.221.244.25: icmp: 80.183.0.108 udp port netbios-ns unreachable [tos 0xc0]
0x0000 45c0 006a 0966 0000 4001 9653 50b7 006c E..j.f..@..SP..l
0x0010 94dd f419 0303 d762 0000 0000 4500 004e .......b....E..N
0x0020 fd58 0000 6911 7a2c 94dd f419 50b7 006c .X..i.z,....P..l
0x0030 0402 0089 003a e18b 0100 0010 0001 0000 .....:..........
0x0040 0000 0000 2043 4b41 4141 4141 4141 4141 .....CKAAAAAAAAA
0x0050 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
localhost:~# nmap localhost
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1551 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
111/tcp open sunrpc
1024/tcp open kdm
Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
localhost:~#
--
marc0@autistici.org - 0x4E8899C2
_______________________________________________
hackmeeting mailing list
hackmeeting@kyuzz.org
http://lists.kyuzz.org/mailman/listinfo/hackmeeting
![[<--]](/icons/prev.gif){kind=icon}
![[-->]](/icons/next.gif){kind=icon}