My Home Net Comprimised???

[imported_wyze]

I've had some weird shit going on this morning that I would appreciate others' input on!!!!!!!!!!

Quick topology (without giving all away), at this very moment, I have a IPcop firewall and a home net : 192.168.3.1, with 3 total connected clients.

I login to my firewall this morning and see a UDP connection on an odd port open to 10.12.0.1 . For a second, I thought it was maybe an OpenVPN service I had left open, but it turns out to be something COMPLETELY different

A my IPCop firewall shows that this is some computer with a UDP connection to my net @ 255.255.255.255 ???

I do an nmap, and it shows me this:

PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
995/tcp open pop3s
1720/tcp filtered H.323/Q.931
4444/tcp filtered krb524

So then outta curiosity I connect to it via telnet and get this prompt:

Management Module

Starting CLI...

cli:seattlecuda:root>

I live in Seattle and haven't a ****ing clue as to who seattlecuda is.

Ettercap shows me system fingerprint info:

Operating System: Linux Mandrake 7.1 / Debian 3.0

When I disconnect my cable modem, it shows he is outside of my net.... but is still connected somehow to my 255.255....

I'm not sure what else I can do at this point w/out breaking laws. I want to know who the **** this is and why they are somehow connected to my mask... ANY SUGGESTIONS????

[imported_wyze]

Hmmm.... well before I banned the IP, I saw that it had re-established from 10.12.0.1 to 255.255.255.255 on UDP port 67. After I banned it I rebooted my firewall and I see a connection on UDP 67 from on my my ISP's DNS servers. An nmap scan shows the exact open/closed/filtered ports running, so I'm guessing that 10.12.0.1 was one of my ISP's DNS servers???

If so, then why would it appear as a 10.12. addy???

[imported_wyze]

Strange....

My firewall shows this connection from 10.12.0.1 on port 67 one time, and then another (66.235.X.X) takes its place on the same port (seems to be the same type of system/OS with the same ports open/closed/filtered with the same CLI running on the telnet port).

I'm obviously not 'getting' what is happening here. Under normal circumstances, the 66.235.X.X address is one a DNS server addy for my cable internet service. I'm really scratching my head to figure out how and why sometimes that my DNS is becoming part of a local network @ 10.12.X.X ....


Can ANYONE enlighten me as to what the deal is?

[streaker69]

Strange....

My firewall shows this connection from 10.12.0.1 on port 67 one time, and then another (66.235.X.X) takes its place on the same port (seems to be the same type of system/OS with the same ports open/closed/filtered with the same CLI running on the telnet port).

I'm obviously not 'getting' what is happening here. Under normal circumstances, the 66.235.X.X address is one a DNS server addy for my cable internet service. I'm really scratching my head to figure out how and why sometimes that my DNS is becoming part of a local network @ 10.12.X.X ....


Can ANYONE enlighten me as to what the deal is?

Easy, your ISP has you NAT'ed.

[thorin]

You should read RFC 1918 (http://www.ietf.org/rfc/rfc1918.txt).

The whole 10.x.x.x range is for private addressing (ie: LAN not Internet).

10.0.0.0/8

If the connection is from a 10. it has to be someone/something "local" to you.

In addition IANA lists (http://www.iana.org/assignments/port-numbers) UDP 67 as "Bootstrap Protocol Server". I googled this quickly but didn't have much time for reading. It does seems that IPCop support bootstrapping but a lot of the results I got were German or French You could probably disable the "Allow bootp clients" in IPCop, or setup a rule that prevents external (non 192.168.3.x) connections to your Firewall.

Can ANYONE enlighten me as to what the deal is?

I agree with streak69 your ISP likely has you nat'd. You stated in your firt post that your Firewall is 192.168.3.1 so I'm assuming your FW is between your Cable Modem and your internal LAN. What's the IP of your cable modem? If you tracert (traceroute) to the 10.x or 66.x address how many hops away is it? (My guess is 2-4). What are the names of the 10.x and 66.x systems?

[imported_wyze]

You should read RFC 1918 (http://www.ietf.org/rfc/rfc1918.txt).

The whole 10.x.x.x range is for private addressing (ie: LAN not Internet).

10.0.0.0/8

If the connection is from a 10. it has to be someone/something "local" to you.

In addition IANA lists (http://www.iana.org/assignments/port-numbers) UDP 67 as "Bootstrap Protocol Server". I googled this quickly but didn't have much time for reading. It does seems that IPCop support bootstrapping but a lot of the results I got were German or French You could probably disable the "Allow bootp clients" in IPCop, or setup a rule that prevents external (non 192.168.3.x) connections to your Firewall.


I agree with streak69 your ISP likely has you nat'd. You stated in your firt post that your Firewall is 192.168.3.1 so I'm assuming your FW is between your Cable Modem and your internal LAN. What's the IP of your cable modem? If you tracert (traceroute) to the 10.x or 66.x address how many hops away is it? (My guess is 2-4). What are the names of the 10.x and 66.x systems?

Streaker: Thanks for the info... I thought about that, but seemed odd to me that it would appear as a 10.x address one second and 66.x the next

Thorin: Thanks for the link to rfc1918 ; interesting material!

My FW is between the cable modem and the internal LAN. The 3rd thing that I did was tracerouted from a LAN pc to the 10.12.0.1 address, and it showed it 2 hops away (it's the same for the 66.X address... 2 hops), outside of my 192.168 LAN and on the other side of my cable modem; I had confirmed that by unplugging the cable modem and nmapping/pinging/checking open FW connections on Red and it was definitely outside of my modem.

*I have always had my DHCP settings set to disallow bootp clients. Strangely enough the UDP 67 connection will appear/disappear

*The name of the 66.X.X.X system is My ISP, MDM (sister company to Comcast)

One funny thing that happened was when i ran an nmap scan on 10.12.0/24 it showed me that there were 5 up, but about 60% of the way through the scan, my connection died and the 10.12.0.1 address disappeared and the 66.X address appeared on UDP 67....

I'm not sure if this means anything/something, but my ISP services my neighborhood using the data line from Boeing (nearby). Apparently, and at some point in the near future, Boeing is upgrading the data line and ultimately the ISP is offering an even 'higher-speed' service to customers in my area. The cable company won't give me any information whatsoever regarding the upgrade, other than they'll let me know when it is available for purchase.

Just as you stated that a 10.X has to be someone/something "local" to me, which is what raised flags when I first saw it appear. I do ecommerce web development and work out of home often. I tend to my firewall/logs often enough that I noticed this was the first time in the year that I've been on with them that I've had this 'local' connection to me outside of my cable modem, and for good reason have become concerned.

[thorin]

I'm still of the opinion that you're cable modem is nat'd by your ISP. You never told us what your cable modem's IP was. My bet is it's a 10.x. I also bet that the 10.x and 66.x that you're seeing connections from are actually the same device only sometimes you see connections form its 'internal' interface and sometimes you see connections from its 'external' interface.

I have always had my DHCP settings set to disallow bootp clients. Strangely enough the UDP 67 connection will appear/disappear

How long do these last? Perhaps they're only attempted connections but they actually fail in the end.

[imported_wyze]

I'm still of the opinion that you're cable modem is nat'd by your ISP. You never told us what your cable modem's IP was. My bet is it's a 10.x. I also bet that the 10.x and 66.x that you're seeing connections from are actually the same device only sometimes you see connections form its 'internal' interface and sometimes you see connections from its 'external' interface.

How long do these last? Perhaps they're only attempted connections but they actually fail in the end.

*My modem's IP is 66.X.X.X

I just logged back into my firewall. I see that 10.12.0.1 is back on the list. It is not connected, and marked as 'unreplied' (probably since I manually blocked 10.0.0.0/8).

At this point, the more that I read into the subject (now that I have been given a good direction to go into) I think you/streaker are correct and it also makes sense that it's the same deice and I'm seeing its internal/external interfaces.

I suppose that on a good note, this ordeal is putting me in a position to learn about certain areas that I did not see before.

[imported_wyze]

How long do these last? Perhaps they're only attempted connections but they actually fail in the end.

About every 30 seconds, I see an attempt; sometimes it expires in 1 second, other times 15 seconds and 30 seconds

[thorin]

If you're still concerned I suppose you could always call your ISP and ask them about it. I think we can be fairly confident at this point that it's defiantely one of their systems.

About every 30 seconds, I see an attempt; sometimes it expires in 1 second, other times 15 seconds and 30 seconds

I would say that they're trying to connect via bootstrap but are getting denied (as they should be per your earlier comments). Depending on the load etc of the system initiating the connection to you I wouldn't be surprised if it took that long to timeout or reset sometimes.