On Wed, 21 Nov 2001 14:09, Eduardo Bencomo wrote: > We are in a mixed network, which includes a router Cisco, a 3COM swich > common to the two networks and a hub where gateway/fire wall linux computer > is connected. > > One of the network is my company network (192.168.X.X / 255.255.0.0. I am > in charge of it) and the other network belongs to other company (10.10.X.X > / 255.255.0.0). This company has a VPN. Now, they are accusing me as > hacker, alleging we have tried to go into their VPN. As prove of tha t , > they are showing the following type of message:
How do they know it's your network? The 192.168.x.x range is used by many many many people out there to define their internal networks, and is in fact supplied on spec (in one of the RFC's) for this very purpose. Just showing some logs with that IP in it doesn't seem to constitute any proof whatsoever that your particular network was involved. The actual packets they've listed here appear to be NetBIOS broadcasts. These are sent by Windows clients when they are trying to poll the network for other Windows machines. It looks to me like Windows machines using 192.168.x.x is trying to poll something on their network. Again, no indication that it's neccesarily from *your* network, it could be any machine using those IPs with a subnet mask of 255.255.0.0. If they are seeing these packets, how did they make it there? If they are running a VPN, the only way they could see these packets from your network would be if someone using that IP connected to their VPN and then forwarded packets to them. Unless they can provide more proof (perhaps with explanations of where they think the traffic is coming from, rather than a pile of oblique logs from a network and host you have no more information about) there's not much you can do. A "more information is required" situation. Also, I'd assume it's not "hacking" - it feels more like some sort of misconfiguration to me. Btw, is this other company on the same network or share network hardware? What connections do you have to this company? Could it be something as simple as a patch lead connecting two hubs together? t > Oct 21 04:09:49 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > SYN (#70) > > Oct 21 04:09:55 localhost kernel: Packet log: input DENY eth0 PROTO=17 > 192.168.2.185:138 > > 192.168.255.255:138 L=229 S=0x00 I=43989 F=0x000 T=128 (#71) > > Oct 21 04:10:01 localhost kernel: Packet log: input REJECT eth0 PROTO=6 > > 213.107.153.72:4512 216.72.44.186:27374 L=48 S=0x00 I=24273 F=0x4000 T=109 > SYN (#70) -- PGP key : http://n12turbo.com/tarragon/public.key
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
