[plug] How does my IP address get to china?
Steve Boak
sboak at westnet.com.au
Mon Nov 10 12:15:55 WST 2003
Hi All
That may seem like a strange question, but it comes from a couple of probes I
got this morming. I did an 'apt-get update' which took about 15-20 seconds or
so, and almost as soon as the first request went out, I had 3 probes from
Informed Technology in Subiaco (203.8.116.111, ident port 113), and one from
some company in Beijing (211.93.80.152, ms-sql-s port 1434). Since my logs
restarted just after midnight, these are the only 'drops' from shorewall (see
below).
My question is this: the possibility of coincidence is quite small
considereing the timing and the fact that I have had no other probes in the
last 12 hours, so just how did these two people (computers?) get my ip
address and immediately probe my machine? It has to be automated, there was
simply not time for anyone to type anything between my apt-get and the first
probe coming back.
My guess is that one of the relays passed through between me and
security.debian.org (traceroute says 18 hops via US and Germany) passed on my
ip address to the machine in Beijing. The probe from Subiaco most probably
got it locally. But how? A nasty daemon on some machine collecting and
forwarding ip addresses? And should I report it, at least to the Subiaco
company, 'though I have not had much response when I have tried to mail
system admins adout such matters in the past.
Am I way off the track here, and if so, what is the real explanation?
Thanks
Steve
P.S. In the last hour while I have been thinking about this, I am now getting
hits about every 3 or 4 minutes. Aparrently news (or IP adresses) traval fast
:)
36980 PROTO=TCP SPT=38688 DPT=113 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Nov 10 11:20:00 min kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC=
SRC=203.8.116.111 DST=202.173.134.218 LEN=60 TOS=0x00 PREC=0x00 TTL=61
ID=36981 PROTO=TCP SPT=38688 DPT=113 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Nov 10 11:20:05 min kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC=
SRC=203.8.116.111 DST=202.173.134.218 LEN=60 TOS=0x00 PREC=0x00 TTL=61
ID=36982 PROTO=TCP SPT=38688 DPT=113 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
Nov 10 11:22:18 min kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC=
SRC=211.93.80.152 DST=202.173.134.218 LEN=404 TOS=0x00 PREC=0xE0 TTL=104
ID=43146 PROTO=UDP SPT=2242 DPT=1434 LEN=384
_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug
More information about the plug
mailing list