Mailinglist Archive: opensuse (882 mails)

< Previous Next >
[opensuse] Re: Odd activity on my webserver
  • From: C <smaug42@xxxxxxxxx>
  • Date: Sat, 11 Dec 2010 10:50:30 +0100
  • Message-id: <AANLkTikP47tA-RAeor5RS5awAmHisa+LTuJFypc2_B2Q@xxxxxxxxxxxxxx>
Hmmm maybe I've stumbled on the real source?

I started poking in my hardware router firewall logs... and I'm seeing
these kinds of entries over and over....
-------------------------
[LAN access from remote] from 213.226.63.155:46921 to
192.168.1.5:18987 Saturday, Dec 11,2010 09:35:58
[LAN access from remote] from 46.29.107.22:34676 to 192.168.1.5:18987
Saturday, Dec 11,2010 09:35:47
[LAN access from remote] from 220.247.1.204:62607 to 192.168.1.5:18987
Saturday, Dec 11,2010 09:35:27
[LAN access from remote] from 87.68.51.97:49548 to 192.168.1.5:80
Saturday, Dec 11,2010 09:33:23
[LAN access from remote] from 87.68.51.97:49546 to 192.168.1.5:18987
Saturday, Dec 11,2010 09:33:22
[LAN access from remote] from 87.68.51.97:49545 to 192.168.1.5:18987
Saturday, Dec 11,2010 09:33:21
[LAN access from remote] from 66.65.11.185:44620 to 192.168.1.5:18987
Saturday, Dec 11,2010 09:32:50

(it's one hour out because I've never bothered to update for DST)

Poking around some more, I discovered that UPnP was turned on in the
router... and port 18987 was... opened or available. This is a new
router I've recently added to my network, and UPnP was on by default -
I did not explicitly turn it on.

I've switched UPnP off now, and network activity has dropped to zero
again. i think any previous changes while I was tinkering with my
apache server was coincidental.

I did some digging and came across this: http://www.upnp-hacks.org/igd.html

Interestingly (or worryingly?) the router log now shows....
--------------------------
[LAN access from remote] from 66.249.72.106:58661 to 192.168.1.5:80
Saturday, Dec 11,2010 09:42:07
[LAN access from remote] from 85.190.0.3:51549 to 192.168.1.5:80
Saturday, Dec 11,2010 09:39:36
[LAN access from remote] from 85.190.0.3:55221 to 192.168.1.5:80
Saturday, Dec 11,2010 09:39:36
[LAN access from remote] from 85.190.0.3:44693 to 192.168.1.5:80
Saturday, Dec 11,2010 09:39:36
[LAN access from remote] from 85.190.0.3:43506 to 192.168.1.5:80
Saturday, Dec 11,2010 09:39:16

So they've switched from hammering port 18987 which was open via the
UPnP service, to port 80.... but I'm not seeing anywhere near the
level of constant activity on my machine anymore.

So... guessing here... someone discovered my router, poked it, and
found out UPnP was enabled... and took advantage of this. Question
is... what? Could they have compromised my openSUSE system behind the
firewall? How does someone find out if this has happened? Is it time
to figure out how rkhunter works?

C.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups
References