[clug] what do I do if I'm being hit by a foreign server?
pbarker at barker.dropbear.id.au
Sun Oct 17 15:20:04 MDT 2010
On Mon, 18 Oct 2010, Daniel Rose wrote:
> Oct 17 17:12:01 mythbox kernel: DROPI IN=ppp0 OUT= MAC= SRC=126.96.36.199
> DST=myinternet LEN=408 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP
> SPT=5085 DPT=5060 LEN=388
>> PS now I know Linux is a better router!
Sure the old one wasn't running Linux? :-)
> 'Backscatter' like this is so common you could have a full-time job just
I believe "backscatter" is really where you get hit with stuff which has
"bounced" off a target. The best example (on the internet, at least :-)
) is where your email address is forged as the "from" address by a
spammer. The "backscatter" in this case is the flood of bounce messages
you receive, even though you didn't send the original mail. I speak from
unfortunate experience, and that's with appropriate DNS RR in place.
Port 5060 is the SIP port.
My guess is that either:
a) the old modem was actually rooted somehow and was being used to make
b) something behind the router was rooted and was being used to make
c) someone was attempting to break passwords.
This is becoming incredibly common - there have at least two instances in
Canberra that I know of where someone's SIP machine has been broken into
and used to rack up thousands of dollars in calls.
> someone's trying to find a peer-to-peer client that used to have your
Probably not on port 5060 :-)
Peter Barker | Programmer,Sysadmin,Geek.
pbarker at barker.dropbear.id.au | You need a bigger hammer.
:: It's a hack! Expect underscores! - Nigel Williams
More information about the linux