Trace Route From Home Showing Suspicious Hop Just Outside LAN
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Trace Route From Home Showing Suspicious Hop Just Outside LAN
I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here.
In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?)
Open ports show: 22 ssh openSSH 4.4 v. 1.99
23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on?
Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
Last edited by QuantumDot; 03-15-2011 at 12:58 AM.
Yes, this looks like it is a dynamic IP/user account for Knology.net.
I would recommend that you capture a set of traceroutes to common places and then then contact your ISP to inquire about this. If in fact your traffic is routing through this location, it could be unusual. I also agree that an ISP would not allow telnet on their public interfaces and would probably use up to date commercial software. Given your experiments in your other thread, I wouldn't be surprised if you attracted some unwanted attention and this could be part of the result.
I would advise against posting too much information regarding "scanning" of this host or inquiring about how to obtain too information against it. Such actions get into the realm of asking how to perform surveillance and cracking of other systems which is prohibited in this forum. Instead, obtain the information and contact your ISP.
I don't think this is enough information to really make a call either way. What is your public IP (you don't need to post here but just verify by going to www.whatismyip.com)? Are you sure that this isn't in fact just your cable modem or something similar and you have an extra router between you and your ISP? When I do a traceroute from a PC to any internet address the second hop is always my actual public IP on my cable modem, and the first is my internal gateway.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
Why would that be another customer? When I do a traceroute, the address after my own (dynamic) IP address is on the same subnet as my own IP address, which is of course quite logical.
Two hops in the same subnet is not possible by design of the IP protocol.
My IP is 207.98.208.XX. There are a wide array of "user-XX-XX-...knolgy.net" dynamic IP's. From what I've gathered, it's really a hard call to make, in that I haven't been able to detect any kind of interference or or alteration, but I've been overworked and haven't pressed the issue.
What concerns me is this appears to be recent in that I check these things fairly regularly, and that whatever it is, or whomever, has a fairly "open" system. A honeypot if you will. Other knology users within the 207.98.208.xx don't have this hop. Furthermore, outbound http requests freeze the system for about 200ms before going on. humm...
I'm thinking I may have been rooted, but that wouldn't really explain the outside hop. If it is an ISP monitor specifically assigned to monitor me, for whatever reason, it would have to be a honeypot due to it's (apparently) poor implantation of a soft target on a VMware box, or a legit knology hub. Either way, it's suspicious.
Furthermore, the cleverness is that network traffic analysis and system diagnostics fail in that if its all done outside the LAN coupled with the fact that I'm not versed in forensics well enough.
I will re-iterate my earlier advice: discuss a traceroute log with your ISP. There is little point in speculating about what this might be. If this is an invalid route point, they will be in a far better position to deal with it than you are. If it is valid hop, they can explain why and how it works.
Quote:
I'm thinking I may have been rooted, but that wouldn't really explain the outside hop. If it is an ISP monitor specifically assigned to monitor me, for whatever reason, it would have to be a honeypot due to it's (apparently) poor implantation of a soft target on a VMware box, or a legit knology hub. Either way, it's suspicious.
This statement gets into the realm of aluminum foil hat paranoia and makes a lot of supposition. LQSec deals with facts, not assumptions and what-might-be. Let us please either discuss real events with real log information or not discuss this at all. Lets especially avoid using the expression "I think I may have been rooted" when there is not evidence to support this.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.