[clug] what do I do if I'm being hit by a foreign server?
Peter Barker
pbarker at barker.dropbear.id.au
Sun Oct 17 15:20:04 MDT 2010
On Mon, 18 Oct 2010, Daniel Rose wrote:
> Oct 17 17:12:01 mythbox kernel: DROPI IN=ppp0 OUT= MAC= SRC=208.115.222.75
> DST=myinternet LEN=408 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
> SPT=5085 DPT=5060 LEN=388
>> PS now I know Linux is a better router!
Sure the old one wasn't running Linux? :-)
> 'Backscatter' like this is so common you could have a full-time job just
I believe "backscatter" is really where you get hit with stuff which has
"bounced" off a target. The best example (on the internet, at least :-)
) is where your email address is forged as the "from" address by a
spammer. The "backscatter" in this case is the flood of bounce messages
you receive, even though you didn't send the original mail. I speak from
unfortunate experience, and that's with appropriate DNS RR in place.
Port 5060 is the SIP port.
My guess is that either:
a) the old modem was actually rooted somehow and was being used to make
calls; or
b) something behind the router was rooted and was being used to make
calls; or
c) someone was attempting to break passwords.
This is becoming incredibly common - there have at least two instances in
Canberra that I know of where someone's SIP machine has been broken into
and used to rack up thousands of dollars in calls.
> someone's trying to find a peer-to-peer client that used to have your
Probably not on port 5060 :-)
Yours,
--
Peter Barker | Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au | You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams
More information about the linux
mailing list