Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I (deliberately) have an open wireless network and I have been seeing some unusual traffic from one box. I have been watching this machine with wireshark and it appears to be doing some kind of scan of the local network by using 'ARP Who has' requests on all the possible ip addresses. The scans are in numeric sequence, sending out a new request every second.
It is also trying to access the web interface of my router using the user agent string "EZI_HTTP_NETDEV_DISCOVER". As it doesn't know the password for the router, it just gets an 'wrong password' page. It seems to not want to give up trying the router as it repeats this every 30 seconds.
There are also requests to dell-alive.singleclicksystems.com/inet_check.php with "EZI_HTTP_INET_REQUEST" as the user agent string. If you bung that address in a web browser, it replies with a single byte: the ASCII code for "1".
Also there are requests to isp.singleclicksystems.com/isp_info/get_isp_info.php with "EZI_HTTP_ISP_REQUEST" as the UA string.
At first when I saw this traffic I thought that someone was trying to hack into some of the other machines on my network, then as I watched more, I started to think that it was a windoze box that had been turned into a zombie. But now I am beginning to think that it is some strange software that Dell have installed on one of their laptops. I assume that the requests to dell-alive.singleclicksystems.com/inet_check.php (with the reply "1") are part of some kind of background process that checks if the laptop has access to the internet for the user.
Whatever it is, I don't rely like the fact that it is scanning the local network or trying to peek at my router. I will probably watch it for a bit longer, then maybe if I get bored/annoyed with it, I will MAC filter it out. ;-)
BTW, I also have Apache running on my machine to serve stuff locally (ie not to the Internet), but this thing doesn't seem to have found it yet.
What is the situation with other people seeing this user agent -- is it being seen on outward facing web servers, or are you seeing it in the logs on your internal networks routers?
Hello and welcome to LQ, hope you like it here. BTW, nice work Sherlock ;-p
After your post I stumbled on this which shows two more URI's but since I don't do even Kyoiku Kanji all I can see is it appears to be "Dell Network Assistant" or products by "SingleClickSystems". HTH
Looking at the SingleClickSystems site, it appears that one of their products includes a feature that can "Discover and manage all devices on a network", which would explain why the thing looks like it's trying to scan the entire network and auto-login to the router.
Can you tell if the passwords are different with each login attempt (i.e is it bruteforcing the router)? At 1 attempt every 30 seconds I would guess no, otherwise it would take decades to complete even a fairly trivial dictionary list.
I got google to tyranslate that site you linked to unSpawn : http://translate.google.com/translat...Den%26hs%3DtDD - it looks like someone else has been doing some detective work on this thing too. That link mentions that there are occasional pings to 200.200.200.200 which I have also seen.
Capt_Caveman asks "Can you tell if the passwords are different with each login attempt..."
No, as far as I can see it doesn't seem to be supplying a password. -- I sopse I probably should have said that it is trying to view the contents of the routers web interface rather than actively trying to log in by trying usernames/passwords.
The Japanese page seems to be saying that this thing is also scanning some ports ("TCP 80 and the like is scanned UDP 161 (SNMP), TCP 139, TCP 445, UDP 10421, UDP 10426 "), but I haven't seen this yet.
I will look again next time the machine hops back onto my network.
My apache usage stats also show this User Agent. If I assume only one IP uses this agent, then the matching IP for January and February 2007 stats is 219.132.138.237. From other search I have made, this guy seems to be doing a scan on port 8080.
Hi, my name is Scot Zarkiewicz and I am the CEO of SingleClick Systems. We are the manufacturer of the tool that is in question in this thread. I wanted to quickly describe to people what they are seeing. Dell Network Assistant (AKA: HomeNet Manager, Network Now, Network Now Pro!) is a Home Networking tool that provides, as one of its capabilities, a Network Scan feature, to detect all the devices that are connected to the Home Network. When we find a device we do probe port 80 to see if that device is exposing a management interface. This actually provides for a very useful function to less technically savy customers who may not know how to open a management interface to a device such as a print server. Additionally we do probe the router to determine what type of device the user has, and provide one click access to this device as well. The URL that is mentioned above is used for Internet Health monitoring to determine when the user has lost their connection to the Internet (and take corrective action to resolve that problem.) I wanted to reassure the readers of this message board that the network traffic generated by our applications is not meant to be harmful in anyway, and is only taking place to give the more novice user a simpler way to setup and manage their Home Network. If there are additional questions or concerns about this topic please don't hesitate to contact me directly at: scotz@singleclicksystems.com
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.