Lo, on Sunday, December 31, JD Kitch did write: > Can anyone tell me what this person is looking for here, and how I > can find out where this is coming from? > > Security Violations > =-=-=-=-=-=-=-=-=-= > Dec 31 11:06:47 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7632 F=0x0000 T=127 (#43) > Dec 31 11:06:53 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7712 F=0x0000 T=127 (#43) > Dec 31 11:06:59 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7713 F=0x0000 T=127 (#43) > Dec 31 11:07:06 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7716 F=0x0000 T=127 (#43) > Dec 31 11:07:13 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7724 F=0x0000 T=127 (#43) > Dec 31 11:07:19 tower kernel: Packet log: output REJECT eth0 PROTO=17 > xx.xx.xxx.xx:61662 172.16.72.113:161 L=106 S=0x00 I=7725 F=0x0000 T=127 (#43) > > I've been unable to track it down. I've had pages and pages of this > every hour since early yesterday, always coming from the same IP, to > the same port.
Someone (xx.xx.xx.xx) is poking at your SNMP port. Use /etc/protocols to map from PROTO=17 to udp, and then /etc/services to map from 161/udp to SNMP. (For those who don't know, SNMP (Simple Network Management Protocol) is a protocol system originally intended for monitoring and administering networked devices remotely.) I'm having to guess, based on RFC 760, but I think the other fields are: * L: packet length * S: type of service -- see RFC 760 * I: identification #; aids in reassembling fragments * F: fragment offset, possibly with the IP flags thrown in? * T: time to live. * and I don't know what (#43) represents. (If someone knows better, I'd love to hear corrections.) These are most probably not relevant here. Did you change your IP address in the above report? IIRC, 172.16.*.* is a block of private addresses. Packets to this address should be dropped automatically by an upstream router. My guess, therefore, is that these transmissions are coming from somewhere else in your network---probably a misconfigured SNMP manager who thinks you're an agent. If it's *not* somewhere else in your network, then to try to find out where it's coming from, do an nslookup on the source IP (the address you've blocked out) to get its domain, then try doing a whois lookup on that domain to see who's responsible for it. (And bug your sysadmins to drop packets coming in from outside your network addressed to the private address ranges.) For example, try typing `whois gmx.net' to see the kind of information you should be able to get. HTH, Richard
