[clug] what do I do if I'm being hit by a foreign server?

[Peter Barker]

On Mon, 18 Oct 2010, Daniel Rose wrote:

> Oct 17 17:12:01 mythbox kernel: DROPI IN=ppp0 OUT= MAC= SRC=208.115.222.75
> DST=myinternet LEN=408 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
> SPT=5085 DPT=5060 LEN=388

>> PS now I know Linux is a better router!

Sure the old one wasn't running Linux? :-)

> 'Backscatter' like this is so common you could have a full-time job just

I believe "backscatter" is really where you get hit with stuff which has 
"bounced" off a target.  The best example (on the internet, at least :-) 
) is where your email address is forged as the "from" address by a 
spammer.  The "backscatter" in this case is the flood of bounce messages 
you receive, even though you didn't send the original mail.  I speak from 
unfortunate experience, and that's with appropriate DNS RR in place.

Port 5060 is the SIP port.

My guess is that either:
a) the old modem was actually rooted somehow and was being used to make 
calls; or

b) something behind the router was rooted and was being used to make
calls; or

c) someone was attempting to break passwords.

This is becoming incredibly common - there have at least two instances in 
Canberra that I know of where someone's SIP machine has been broken into 
and used to rack up thousands of dollars in calls.

> someone's trying to find a peer-to-peer client that used to have your

Probably not on port 5060 :-)

Yours,
-- 
Peter Barker                          |   Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au	      |   You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams