Date: Thu, 25 Nov 2004 11:24:54 -0600 From: "Conrad J. Sabatier" <conrads@cox.net> To: Dino Vliet <dino_vliet@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: Help...am I being hacked? Message-ID: <1101403494.63632.8.camel@dolphin.local.net> In-Reply-To: <20041125093515.3557.qmail@web51104.mail.yahoo.com> References: <20041125093515.3557.qmail@web51104.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 2004-11-25 at 01:35 -0800, Dino Vliet wrote: > Hi all, > > I'm using freebsd 4.10 on my laptop and I was browsing > my filesystem and looking at some log files, when I > stumbled into the file dmesg.yesterday in /var/log/ > > The contents of this file worried me. Take a look at > the last lines of it: > > Connection attempt to TCP 192.168.1.101:5554 from > 220.147.188.223:4970 flags:0x02 > Connection attempt to TCP 192.168.1.101:9898 from > 220.147.188.223:1288 flags:0x02 > Connection attempt to TCP 192.168.1.101:21 from > 168.126.102.33:57216 flags:0x02 > Connection attempt to UDP 192.168.1.101:1026 from > 222.88.173.5:31889 > Connection attempt to TCP 192.168.1.101:9898 from > 67.1.4.194:3161 flags:0x02 These merely indicate connection *attempts*, not actual successful connections to your machine. They don't mean you've been "hacked". > But my IP on this machine starts with 130. > > But I recognize these IP's (192.168.1.101), because at > home I'm using a e-tech router and it assigns me > through DHCP 192.168.1.* as ip address every time I > connect my laptop with this. At the campus, I'm also > using dhcp to connect to the network. However, lately > I haven't used my router at home and was only > connecting through the network at the campus. There I > get the ip address 130.37.28.112. > > I have removed the old dhcp.leases in /var/db that had > the information of my e-tech router. > > I am using ipfw too now, but still it would be > convenient to know where to look for hack attempts and > look for log files which give information about > connection attempts from outside. /var/log/security, /var/log/ipfw.*, /var/log/messages, and so on. With a more "stealthy" firewall setup, you wouldn't even be seeing these connection attempt logs, as these outsiders would never even manage to reach your machine at all. -- Conrad J. Sabatier -- conrads@cox.net -- "In Unix veritas"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1101403494.63632.8.camel>