I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here.

In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...

In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?)

Open ports show: 22 ssh openSSH 4.4 v. 1.99
23 telnet Openwall GNU/*/Linux telnetd

At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...

Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on?

Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?

Yes, this looks like it is a dynamic IP/user account for Knology.net.

I would recommend that you capture a set of traceroutes to common places and then then contact your ISP to inquire about this. If in fact your traffic is routing through this location, it could be unusual. I also agree that an ISP would not allow telnet on their public interfaces and would probably use up to date commercial software. Given your experiments in your other thread, I wouldn't be surprised if you attracted some unwanted attention and this could be part of the result.

I would advise against posting too much information regarding "scanning" of this host or inquiring about how to obtain too information against it. Such actions get into the realm of asking how to perform surveillance and cracking of other systems which is prohibited in this forum. Instead, obtain the information and contact your ISP.

I don't think this is enough information to really make a call either way. What is your public IP (you don't need to post here but just verify by going to www.whatismyip.com)? Are you sure that this isn't in fact just your cable modem or something similar and you have an extra router between you and your ISP? When I do a traceroute from a PC to any internet address the second hop is always my actual public IP on my cable modem, and the first is my internal gateway.

Why would that be another customer? When I do a traceroute, the address after my own (dynamic) IP address is on the same subnet as my own IP address, which is of course quite logical.

Two hops in the same subnet is not possible by design of the IP protocol.

jlinkels

My IP is 207.98.208.XX. There are a wide array of "user-XX-XX-...knolgy.net" dynamic IP's. From what I've gathered, it's really a hard call to make, in that I haven't been able to detect any kind of interference or or alteration, but I've been overworked and haven't pressed the issue.

What concerns me is this appears to be recent in that I check these things fairly regularly, and that whatever it is, or whomever, has a fairly "open" system. A honeypot if you will. Other knology users within the 207.98.208.xx don't have this hop. Furthermore, outbound http requests freeze the system for about 200ms before going on. humm...

I'm thinking I may have been rooted, but that wouldn't really explain the outside hop. If it is an ISP monitor specifically assigned to monitor me, for whatever reason, it would have to be a honeypot due to it's (apparently) poor implantation of a soft target on a VMware box, or a legit knology hub. Either way, it's suspicious.

Furthermore, the cleverness is that network traffic analysis and system diagnostics fail in that if its all done outside the LAN coupled with the fact that I'm not versed in forensics well enough.

I'll post more later. Night all.

I will re-iterate my earlier advice: discuss a traceroute log with your ISP. There is little point in speculating about what this might be. If this is an invalid route point, they will be in a far better position to deal with it than you are. If it is valid hop, they can explain why and how it works.

This statement gets into the realm of aluminum foil hat paranoia and makes a lot of supposition. LQSec deals with facts, not assumptions and what-might-be. Let us please either discuss real events with real log information or not discuss this at all. Lets especially avoid using the expression "I think I may have been rooted" when there is not evidence to support this.

1 members found this post helpful.