May this was an isolated incident? [EMAIL PROTECTED] ~]# traceroute ansa.it traceroute to ansa.it (194.244.5.201), 30 hops max, 38 byte packets 1 xxx (xxx) 0.469 ms 0.243 ms 0.191 ms << from my location 2 xxx (xxx) 0.784 ms 0.798 ms 1.173 ms << from my location 3 atm008.edge1.chi.megapath.net (216.36.100.1) 30.781 ms 18.686 ms 30.491 ms 4 fe0-2-1.core1.chi.megapath.net (66.80.128.93) 19.722 ms fe1-2-5.core1.chi.megapath.net (66.80.128.13) 20.238 ms fe1-2-2.core1.chi.megapath.net (66.80.128.21) 20.125 ms 5 unknown.Level3.net (209.247.34.161) 21.388 ms 19.693 ms 20.131 ms 6 ae-1-55.bbr1.Chicago1.Level3.net (4.68.101.129) 20.222 ms ae-1-53.bbr1.Chicago1.Level3.net (4.68.101.65) 23.849 ms 20.018 ms 7 so-3-0-0.mp2.Paris1.Level3.net (212.187.128.37) 120.846 ms 115.749 ms 157.643 ms 8 so-1-0-0.mpls1.Milan1.Level3.net (4.68.128.182) 131.848 ms so-3-0-0.mpls2.Milan1.Level3.net (212.187.128.202) 130.895 ms so-1-0-0.mpls1.Milan1.Level3.net (4.68.128.182) 130.391 ms 9 ge-5-1.hsa1.Milan1.Level3.net (213.242.64.51) 133.088 ms 130.766 ms ge-4-0.hsa1.Milan1.Level3.net (213.242.64.3) 132.039 ms 10 ge-4-2-150.hsa1.Milan1.Level3.net (213.242.65.10) 135.333 ms 132.744 ms 131.506 ms 11 194.244.0.234 (194.244.0.234) 131.354 ms 132.001 ms 134.935 ms 12 194.20.5.166 (194.20.5.166) 141.723 ms 142.222 ms 143.342 ms 13 194.244.2.114 (194.244.2.114) 145.201 ms 147.555 ms 143.591 ms 14 * * * 15 * * *
----- Original Message ----- From: dave [mailto:[EMAIL PROTECTED] To: [email protected] Subject: What a strange route (The DoD inside)! > > > Hy, > > > > During a security check it was the evidence of an intrution. > > > The hacker placed 2 backdoor and a rootkit. > > What is very strange is that all packets seems to pass inside > an Italian ISP Wan but inside its network there are some DoD IP. > > > > Like this traceroute may reveal: > > [EMAIL PROTECTED]:dave# traceroute ansa.it > traceroute to ansa.it (194.244.5.201), 30 hops max, 40 byte packets > 1 192.168.1.1 (192.168.1.1) 0.293 ms 0.194 ms 0.294 ms > 2 192.168.0.254 (192.168.0.254) 1.059 ms 1.328 ms 1.167 ms > Local Gateway. > > 3 1.48.143.2 (1.48.143.2) 5.397 ms 5.107 ms 5.737 ms > 4 10.251.58.17 (10.251.58.17) 4.458 ms 2.709 ms 4.481 ms > 5 10.251.54.27 (10.251.54.27) 3.735 ms 2.839 ms 3.238 ms > 6 10.251.55.1 (10.251.55.1) 3.245 ms 3.606 ms 2.988 ms > 7 10.251.59.194 (10.251.59.194) 2.985 ms 3.959 ms 3.425 ms > > 8 213-140-17-145.fastres.net (213.140.17.145) 3.294 ms 3.659 ms 3.408 > ms > Fastweb Network. > > 9 10.0.0.178 (10.0.0.178) 5.898 ms 3.671 ms 3.131 ms > 10 10.254.0.33 (10.254.0.33) 3.468 ms 3.411 ms 2.934 ms > > 11 26.26.26.xx (26.26.26.xx) 4.462 ms 3.674 ms 3.644 ms > 12 26.26.26.xxx (26.26.26.xxx) 5.055 ms 3.834 ms 3.797 ms > 13 26.26.26.xxx (26.26.26.xxx) 5.112 ms 3.541 ms 3.816 ms > DoD Network Information Center <- Why? > > 14 213-140-31-121.ip.fastwebnet.it (213.140.31.121) 4.132 ms 4.430 ms > 3.546 ms > Fastweb Network. > > 15 Milano-6-ser5-1-0.tip.net (194.20.7.97) 4.899 ms 4.700 ms 4.535 ms > TIPNET > > 16 194.20.5.166 (194.20.5.166) 20.033 ms 21.354 ms 16.155 ms > 17 194.244.2.114 (194.244.2.114) 22.524 ms 17.389 ms 17.625 ms > IT-UNISOURCE. > > > > It seems that where used some 0-d. > > > I started the incident response, but i don't know how to check where packets > are going. > > After few hours my ISP blocked the link and after a day any attempt to > Trace. > > > I tried to test random TTL values without any success, but i would like > to investigate much more. > > > > Tnx, Regards. > Davide Minini. > > -- > >here are more things in heaven and earth, > horatio, than are dreamt of in your philosophy. > > > > > -- > > Email.it, the professional e-mail, gratis per te: http://www.email.it/f > > > > Sponsor: > > Per i progetti che rimandi da tempo, Findomestic ti offre la soluzione > ideale per te, con semplicità e senza anticipi > > * > > Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4970&d=1-4 >
