LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-15-2011, 01:56 AM   #1
QuantumDot
LQ Newbie
 
Registered: Mar 2011
Posts: 3

Rep: Reputation: 0
Trace Route From Home Showing Suspicious Hop Just Outside LAN


I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here.

In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...

In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?)

Open ports show: 22 ssh openSSH 4.4 v. 1.99
23 telnet Openwall GNU/*/Linux telnetd

At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...

Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on?

Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?

Last edited by QuantumDot; 03-15-2011 at 01:58 AM.
 
Old 03-15-2011, 06:10 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Yes, this looks like it is a dynamic IP/user account for Knology.net.

I would recommend that you capture a set of traceroutes to common places and then then contact your ISP to inquire about this. If in fact your traffic is routing through this location, it could be unusual. I also agree that an ISP would not allow telnet on their public interfaces and would probably use up to date commercial software. Given your experiments in your other thread, I wouldn't be surprised if you attracted some unwanted attention and this could be part of the result.

I would advise against posting too much information regarding "scanning" of this host or inquiring about how to obtain too information against it. Such actions get into the realm of asking how to perform surveillance and cracking of other systems which is prohibited in this forum. Instead, obtain the information and contact your ISP.
 
Old 03-15-2011, 06:12 AM   #3
ComputerErik
Member
 
Registered: Apr 2005
Location: NYC
Distribution: Debian, RHEL
Posts: 268

Rep: Reputation: 42
I don't think this is enough information to really make a call either way. What is your public IP (you don't need to post here but just verify by going to www.whatismyip.com)? Are you sure that this isn't in fact just your cable modem or something similar and you have an extra router between you and your ISP? When I do a traceroute from a PC to any internet address the second hop is always my actual public IP on my cable modem, and the first is my internal gateway.
 
Old 03-15-2011, 06:44 AM   #4
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,241

Rep: Reputation: 545Reputation: 545Reputation: 545Reputation: 545Reputation: 545Reputation: 545
Why would that be another customer? When I do a traceroute, the address after my own (dynamic) IP address is on the same subnet as my own IP address, which is of course quite logical.

Two hops in the same subnet is not possible by design of the IP protocol.

jlinkels
 
Old 03-16-2011, 12:22 AM   #5
QuantumDot
LQ Newbie
 
Registered: Mar 2011
Posts: 3

Original Poster
Rep: Reputation: 0
My IP is 207.98.208.XX. There are a wide array of "user-XX-XX-...knolgy.net" dynamic IP's. From what I've gathered, it's really a hard call to make, in that I haven't been able to detect any kind of interference or or alteration, but I've been overworked and haven't pressed the issue.

What concerns me is this appears to be recent in that I check these things fairly regularly, and that whatever it is, or whomever, has a fairly "open" system. A honeypot if you will. Other knology users within the 207.98.208.xx don't have this hop. Furthermore, outbound http requests freeze the system for about 200ms before going on. humm...

I'm thinking I may have been rooted, but that wouldn't really explain the outside hop. If it is an ISP monitor specifically assigned to monitor me, for whatever reason, it would have to be a honeypot due to it's (apparently) poor implantation of a soft target on a VMware box, or a legit knology hub. Either way, it's suspicious.

Furthermore, the cleverness is that network traffic analysis and system diagnostics fail in that if its all done outside the LAN coupled with the fact that I'm not versed in forensics well enough.

I'll post more later. Night all.
 
Old 03-16-2011, 08:00 AM   #6
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
I will re-iterate my earlier advice: discuss a traceroute log with your ISP. There is little point in speculating about what this might be. If this is an invalid route point, they will be in a far better position to deal with it than you are. If it is valid hop, they can explain why and how it works.

Quote:
I'm thinking I may have been rooted, but that wouldn't really explain the outside hop. If it is an ISP monitor specifically assigned to monitor me, for whatever reason, it would have to be a honeypot due to it's (apparently) poor implantation of a soft target on a VMware box, or a legit knology hub. Either way, it's suspicious.
This statement gets into the realm of aluminum foil hat paranoia and makes a lot of supposition. LQSec deals with facts, not assumptions and what-might-be. Let us please either discuss real events with real log information or not discuss this at all. Lets especially avoid using the expression "I think I may have been rooted" when there is not evidence to support this.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
trace route on a specific port caibbor Linux - Networking 6 12-07-2009 11:23 AM
multi hop gateway route thllgo Linux - Networking 4 04-06-2009 02:02 PM
trace route a server jkeertir Linux - Hardware 7 04-03-2008 09:15 PM
Traceroute command not showing hostnames for each hop, only * * * jon_k Linux - Software 3 06-17-2005 11:33 PM
linux trace route won't work Red Squirrel Linux - Software 3 03-17-2004 03:20 PM


All times are GMT -5. The time now is 07:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration