LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-10-2002, 01:13 AM   #1
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Rep: Reputation: 30
Question snmp-trap


Ok What exactly is simple network management protocol from what i can gather it's a udp protocol to enumerate your network ... I have a linksys router and I am getting hits ever few min. on port 169 so firestarter says ..... is someone gathering info could they be trapping or sniffing my out going stuff.?? How is it going right thru my router? how can I stop it and find out where it's coming from? firestarter lists my router as the incoming IP.


ANY IDEAS?
 
Old 07-18-2002, 06:07 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
$whatis snmp: foldoc, techtarget.
IIRC, SNMP uses TCP/UDP port 161 and 162 is for SNMP-Trap tho it could be 169 as well like you've stated. (w/o firmware upgrades?) there exists a flaw in some SOHO routers where remote users are able to either take over a router or at leas DD0S it using SNMP. Many ppl not changing default passwds helps as well.
Rr.sans.org states w/o details you should be able to disable SNMP on the Linksys for the port connected to the Internet if you're only managing it from the LAN and if you're not able to turn it off use the NAT function and dump it on an unused network address. Unfortunately I don't have access to a Linksys, so if you need details someone else will have to come up with it.

HTH somehow
 
Old 07-18-2002, 08:48 AM   #3
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
Thanks I forward the 161,162,169 ports to a unused ip address. Since you seem to know about security stuff can I ask you another question? firestarter was getting pounded with trinity and sunrpc and snmp trap and lots of unknowns I went to bed and when I got up the next day my gui was broken for firestarter so I don't know how to get my logs to see if it was still going on. a port scan from a windows box on my lan says it's still up and running if I try to open the gui from a command line I get Gtk errors. I uninstalled firestarter and reinstalled it but no help ....did they root my box and wipe a file to keep from seeing what there doing???

please help me if you can.
 
Old 07-18-2002, 03:06 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Heh, no I don't know about security. It's that security knows about me, and that's what keeps me moving :-]

Firestarter reads its logs (depending on your distro) from /var/log/messages or /usr/adm/messages, so if you've installed it you could read log entries from there. I don't think any cracker will ever bother with fscking up Firestarter, Gnome or any of it's dependancies to stop ppl from looking at logs :-]

One of the first things to do if you suspect your box has been 0wned would be to look at the logs, lastlog, network connections, and running apps to see if you can find stuff to fuel your suspicions: list the output and dump on another box or floppy. If yes, I hope you did install a passive integrity checker like Aide or Tripwire to help you scan for changes in the system, and maybe run chkrootkit(.org) as well. If yes again and you've found signs stuff has been changed or added system/regular users on that system can't account for it's a good point to disconnect the box, boot from an install/rescue/trinux or orher cd or floppy and investigate further.

Have a look at excellent guidelines in the CERT Steps for Recovering from a UNIX or NT System Compromise, CERT Intruder Detection Checklist and the CERT UNIX Security Checklist v2.0.
 
Old 07-18-2002, 08:46 PM   #5
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?
 
Old 07-18-2002, 09:05 PM   #6
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
Ok I founf the log file and seem to make some since out of them but theres one problem. the loggs stop three days ago and i mean ALL the logs mail, boot, and messages. theres messages and the n messages .1 .2 and so on the higher the number the older the log right? so then messages with no .# would be the newist? but it stops three days ago abouth the time of the problem got anymore ideas? do I need to do some kind of dump to get the lateist logs?
 
Old 07-18-2002, 09:13 PM   #7
tied2
Member
 
Registered: Jun 2002
Location: Florida
Distribution: Redhat, FreeBSD, FC 6
Posts: 220

Original Poster
Rep: Reputation: 30
Opps I didn't mean to dup. that Hey would you look at my logs if I e-mail them to you? there seems to be some other stuff mixed in the log files"messages" something about a sound card error could that be causing my problem? my sound works fine. but i did turn off the KDE sounds cause for one they were annoying and two, real player streaming video wouldn't work cause it said it was busy.

Thanks agian!
 
Old 07-19-2002, 08:20 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Ok, just make a neat tarball and send it too unspawn at rootshell dot be. Be sure to scrub any of your public IP addy's tho.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to send snmp trap & recieve trap in C program minil Programming 3 07-10-2010 09:22 AM
How to generate snmp trap using the ucLinux /user/snmpd API jonathan_wu Programming 3 08-27-2008 09:15 AM
Kernel trap (Fatal trap 12) m!k@EL *BSD 4 09-05-2007 11:58 PM
snmp agent trap sending bluejob Programming 0 02-15-2005 03:43 AM
snmp (ucd-snmp, net-snmp) markus1982 Linux - Software 1 11-21-2002 10:45 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration