Rattle wrote: Things that would be helpful to any reasonable analysis: ** Most likely to require a NDA: 1) Disk images of the original software CDs. 2) Information about who the software was shipped to. 3) Postage tracking information contained on the packaging of the software distribution. Scans of the shipping package would be a good start. ** Something Jeff Peterson could make public: 4) Comparison of "Build 244" in this case to other known "Build 244" distributions. Publishing MD5SUM of "Build 244" CDs in question would be enough to further that process. 5) Anything that could place "Build 224" to a time of creation.
It is Check Point NGX R60, Secure Platform Build 244 they are speaking of. Secure Platform is their hardened Linux based ISO install of Check Point. I have original media for the major rev, I'm not sure if I have build 244 exactly. I'll install later and check. Update: Keep in mind, that the destination IPs of the packets are not of (paramount) importance. Any network that either holds in common in its routing over the Internet would be the most interesting point of attention. If a packet traverses over a network, or hits the border of a network, it is visible, and hence identifiable based upon its destination address. Take a look and see the results in this situation...
The 48. address isn't in BGP, but the 152.96.109.99 is, so it could potentially phone home today. Either way, this is weird shit if it's verifiable. I didn't particularly like the fact that the Provider-1 GUI splash page has three IP addresses used as a graphic (and they weren't RFC-1918 either.) The IP addresses weren't in ARIN or BGP, but it's still like, ok, what kind of message are you trying to send here Check Point? RE: Check Point Outbound Traffic Mystery (Build 244) |