With respect to most other responders on this thread... The way traceroute works, a target machine is free to do whatever it wants with incoming packets. Including spoof a reply from someone else. http://www.thoughtcrime.org/software/fakeroute/
Look at the timings. Theres your clue. Starting with hop 14, you¹re talking to the target machine. -porkchop On 4/20/09 5:24 PM, "Richard Golodner" <[email protected]> wrote: > I see in my log files that I get probed from 119.161.130.75 on > an almost hourly basis (make dumb joke here), udp port scans, brute force > password attempts, nothing to out of the ordinary which is why I ask help from > the funsec community. Check out this log and tell me what is going on here. > Hop 12 is the handoff from Sprint to China net. > Hop 22 is a static route provided by GE with an IP of 3.3.3.2 > Hop 23 is DoD Experimental IP space > Hop 24 is the host harassing me. > Why would I see a static route from GE here and then DoD IP > space? I am just curious as I think this is a strange path to get to the host > that resides at hop 24. > Please feel free to chime in with any ideas. I have no clue, > again. > Thanks, Richard > > > 1 1 ms 1 ms 1 ms 10.10.10.1 > 2 13 ms 11 ms 10 ms 10.20.0.1 > 3 7 ms 7 ms 7 ms vl2.aggr1.chgo.il.rcn.net [207.229.191.130] > 4 9 ms 7 ms 7 ms tge3-1.border2.eqnx.il.rcn.net [207.172.19.159] > 5 10 ms 7 ms 7 ms te-8-3.car3.Chicago1.Level3.net [4.71.101.73] > 6 10 ms 11 ms 7 ms ae-1-51.edge3.Chicago3.Level3.net > [4.68.101.20] > 7 11 ms 8 ms 7 ms sl-st20-chi-5-0.sprintlink.net > [144.232.19.173] > 8 10 ms 11 ms 12 ms sl-crs2-chi-0-12-2-0.sprintlink.net > [144.232.19.145] > 9 31 ms 33 ms 30 ms sl-crs1-che-0-0-0-0.sprintlink.net > [144.232.20.161] > 10 61 ms 58 ms 59 ms sl-crs1-stk-0-0-0-1.sprintlink.net > [144.232.20.241] > 11 68 ms 60 ms 75 ms sl-crs2-sj-0-14-0-0.sprintlink.net > [144.232.24.34] > 12 57 ms 59 ms 59 ms sl-st20-sj-13-0-0.sprintlink.net > [144.232.9.58] > 13 156 ms 154 ms 154 ms sl-china1-7-0.sprintlink.net [144.223.242.126] > 14 337 ms 340 ms 339 ms 202.97.51.189 > 15 352 ms 356 ms 364 ms 202.97.53.37 > 16 340 ms 340 ms 340 ms 220.181.16.126 > 17 357 ms 356 ms 355 ms 220.181.17.106 > 18 354 ms 354 ms 356 ms 220.181.144.33 > 19 348 ms 347 ms 351 ms 220.181.144.18 > 20 349 ms 352 ms 351 ms 218.240.7.107 > 21 349 ms 349 ms 353 ms 219.142.47.74 > 22 350 ms 353 ms 349 ms n003-000-000-000.static.ge.com [3.3.3.2] > 23 * 350 ms 352 ms 6.6.6.6 > 24 351 ms 356 ms 353 ms 119.161.130.75 > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. -- Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 Your wireless success, nothing less. http://www.tessco.com/
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
