Ok What exactly is simple network management protocol from what i can gather it's a udp protocol to enumerate your network ... I have a linksys router and I am getting hits ever few min. on port 169 so firestarter says ..... is someone gathering info could they be trapping or sniffing my out going stuff.?? How is it going right thru my router? how can I stop it and find out where it's coming from? firestarter lists my router as the incoming IP.


ANY IDEAS?

$whatis snmp: foldoc, techtarget.
IIRC, SNMP uses TCP/UDP port 161 and 162 is for SNMP-Trap tho it could be 169 as well like you've stated. (w/o firmware upgrades?) there exists a flaw in some SOHO routers where remote users are able to either take over a router or at leas DD0S it using SNMP. Many ppl not changing default passwds helps as well.
Rr.sans.org states w/o details you should be able to disable SNMP on the Linksys for the port connected to the Internet if you're only managing it from the LAN and if you're not able to turn it off use the NAT function and dump it on an unused network address. Unfortunately I don't have access to a Linksys, so if you need details someone else will have to come up with it.

HTH somehow

Thanks I forward the 161,162,169 ports to a unused ip address. Since you seem to know about security stuff can I ask you another question? firestarter was getting pounded with trinity and sunrpc and snmp trap and lots of unknowns I went to bed and when I got up the next day my gui was broken for firestarter so I don't know how to get my logs to see if it was still going on. a port scan from a windows box on my lan says it's still up and running if I try to open the gui from a command line I get Gtk errors. I uninstalled firestarter and reinstalled it but no help ....did they root my box and wipe a file to keep from seeing what there doing???

please help me if you can.

Heh, no I don't know about security. It's that security knows about me, and that's what keeps me moving :-]

Firestarter reads its logs (depending on your distro) from /var/log/messages or /usr/adm/messages, so if you've installed it you could read log entries from there. I don't think any cracker will ever bother with fscking up Firestarter, Gnome or any of it's dependancies to stop ppl from looking at logs :-]

One of the first things to do if you suspect your box has been 0wned would be to look at the logs, lastlog, network connections, and running apps to see if you can find stuff to fuel your suspicions: list the output and dump on another box or floppy. If yes, I hope you did install a passive integrity checker like Aide or Tripwire to help you scan for changes in the system, and maybe run chkrootkit(.org) as well. If yes again and you've found signs stuff has been changed or added system/regular users on that system can't account for it's a good point to disconnect the box, boot from an install/rescue/trinux or orher cd or floppy and investigate further.

Have a look at excellent guidelines in the CERT Steps for Recovering from a UNIX or NT System Compromise, CERT Intruder Detection Checklist and the CERT UNIX Security Checklist v2.0.

Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?

Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?

Opps I didn't mean to dup. that Hey would you look at my logs if I e-mail them to you? there seems to be some other stuff mixed in the log files"messages" something about a sound card error could that be causing my problem? my sound works fine. but i did turn off the KDE sounds cause for one they were annoying and two, real player streaming video wouldn't work cause it said it was busy.

Thanks agian!

Ok, just make a neat tarball and send it too unspawn at rootshell dot be. Be sure to scrub any of your public IP addy's tho.