May this was an isolated incident?
[root@xxx ~]# traceroute ansa.it
traceroute to ansa.it (194.244.5.201), 30 hops max, 38 byte packets
1 xxx (xxx) 0.469 ms 0.243 ms 0.191 ms << from my location
2 xxx (xxx) 0.784 ms 0.798 ms 1.173 ms << from my location
3 atm008.edge1.chi.megapath.net (216.36.100.1) 30.781 ms 18.686 ms 30.491
ms
4 fe0-2-1.core1.chi.megapath.net (66.80.128.93) 19.722 ms
fe1-2-5.core1.chi.megapath.net (66.80.128.13) 20.238 ms
fe1-2-2.core1.chi.megapath.net (66.80.128.21) 20.125 ms
5 unknown.Level3.net (209.247.34.161) 21.388 ms 19.693 ms 20.131 ms
6 ae-1-55.bbr1.Chicago1.Level3.net (4.68.101.129) 20.222 ms
ae-1-53.bbr1.Chicago1.Level3.net (4.68.101.65) 23.849 ms 20.018 ms
7 so-3-0-0.mp2.Paris1.Level3.net (212.187.128.37) 120.846 ms 115.749 ms
157.643 ms
8 so-1-0-0.mpls1.Milan1.Level3.net (4.68.128.182) 131.848 ms
so-3-0-0.mpls2.Milan1.Level3.net (212.187.128.202) 130.895 ms
so-1-0-0.mpls1.Milan1.Level3.net (4.68.128.182) 130.391 ms
9 ge-5-1.hsa1.Milan1.Level3.net (213.242.64.51) 133.088 ms 130.766 ms
ge-4-0.hsa1.Milan1.Level3.net (213.242.64.3) 132.039 ms
10 ge-4-2-150.hsa1.Milan1.Level3.net (213.242.65.10) 135.333 ms 132.744 ms
131.506 ms
11 194.244.0.234 (194.244.0.234) 131.354 ms 132.001 ms 134.935 ms
12 194.20.5.166 (194.20.5.166) 141.723 ms 142.222 ms 143.342 ms
13 194.244.2.114 (194.244.2.114) 145.201 ms 147.555 ms 143.591 ms
14 * * *
15 * * *
----- Original Message -----
From: dave [mailto:dave.m@email.it]
To: incidents@securityfocus.com
Subject: What a strange route (The DoD inside)!
Hy,
During a security check it was the evidence of an intrution.
The hacker placed 2 backdoor and a rootkit.
What is very strange is that all packets seems to pass inside
an Italian ISP Wan but inside its network there are some DoD IP.
Like this traceroute may reveal:
root@alea:dave# traceroute ansa.it
traceroute to ansa.it (194.244.5.201), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 0.293 ms 0.194 ms 0.294 ms
2 192.168.0.254 (192.168.0.254) 1.059 ms 1.328 ms 1.167 ms
Local Gateway.
3 1.48.143.2 (1.48.143.2) 5.397 ms 5.107 ms 5.737 ms
4 10.251.58.17 (10.251.58.17) 4.458 ms 2.709 ms 4.481 ms
5 10.251.54.27 (10.251.54.27) 3.735 ms 2.839 ms 3.238 ms
6 10.251.55.1 (10.251.55.1) 3.245 ms 3.606 ms 2.988 ms
7 10.251.59.194 (10.251.59.194) 2.985 ms 3.959 ms 3.425 ms
8 213-140-17-145.fastres.net (213.140.17.145) 3.294 ms 3.659 ms 3.408
ms
Fastweb Network.
9 10.0.0.178 (10.0.0.178) 5.898 ms 3.671 ms 3.131 ms
10 10.254.0.33 (10.254.0.33) 3.468 ms 3.411 ms 2.934 ms
11 26.26.26.xx (26.26.26.xx) 4.462 ms 3.674 ms 3.644 ms
12 26.26.26.xxx (26.26.26.xxx) 5.055 ms 3.834 ms 3.797 ms
13 26.26.26.xxx (26.26.26.xxx) 5.112 ms 3.541 ms 3.816 ms
DoD Network Information Center <- Why?
14 213-140-31-121.ip.fastwebnet.it (213.140.31.121) 4.132 ms 4.430 ms
3.546 ms
Fastweb Network.
15 Milano-6-ser5-1-0.tip.net (194.20.7.97) 4.899 ms 4.700 ms 4.535 ms
TIPNET
16 194.20.5.166 (194.20.5.166) 20.033 ms 21.354 ms 16.155 ms
17 194.244.2.114 (194.244.2.114) 22.524 ms 17.389 ms 17.625 ms
IT-UNISOURCE.
It seems that where used some 0-d.
I started the incident response, but i don't know how to check where packets
are going.
After few hours my ISP blocked the link and after a day any attempt to
Trace.
I tried to test random TTL values without any success, but i would like
to investigate much more.
Tnx, Regards.
Davide Minini.
--
here are more things in heaven and earth,
horatio, than are dreamt of in your philosophy.
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Per i progetti che rimandi da tempo, Findomestic ti offre la soluzione
ideale per te, con semplicità e senza anticipi
*
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=4970&d=1-4
