From owner-freebsd-questions Fri Jun 21 13:25:55 2002 Delivered-To: freebsd-questions@freebsd.org Received: from stargate.clickcom.com (stargate.clickcom.com [209.198.22.4]) by hub.freebsd.org (Postfix) with ESMTP id 5260837B408 for ; Fri, 21 Jun 2002 13:25:43 -0700 (PDT) Received: from aesop (calefaction.clickcom.com [209.198.22.19]) by stargate.clickcom.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NJ8XM18J; Fri, 21 Jun 2002 16:05:37 -0400 From: "John Straiton" To: Subject: OT: Bizarre tcplog messages. Connects going to 0.0.0.0? Date: Fri, 21 Jun 2002 16:28:12 -0400 Message-ID: <003d01c21962$2d4018e0$fe16c60a@win2k.clickcom.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I hope someone can shed some light on this one because it's stumped everyone I know personally, a bit off topic but my BSD boxes are all that has let me know there's a problem up till now: This week we began seeing a very bizarre behavior on our FreeBSD machines. They all have "log_in_vain" turned on. I started getting messages like Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:10 from 216.189.xx.xxe:1744 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:11 from 216.189.xx.xxf:1229 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:12 from 216.189.xx.xxg:1929 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:13 from 216.189.xx.xxe:1201 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:14 from 216.189.xx.xxl:2014 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:15 from 216.189.xx.xxj:1660 While I did x out the IP that's listed, I didn't change the first one. It really did say 0.0.0.0. I got a number of these messages in the syslog, but it all stopped about 15 seconds later. They would start targeting at port #1 and increment to port #138, then restart. So I got a tcpdump ready ( tcpdump host 0.0.0.0 > errors.txt )and the next time it happened, I captured over 4MB of traffic in seconds. Here are some lines from that capture: 14:23:49.604591 216.189.xx.xxw.1308 > 0.0.0.0.cisco-tna: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.605143 216.189.xx.xxz.1321 > 0.0.0.0.cisco-sys: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.605776 216.189.xx.xxy.1918 > 0.0.0.0.statsrv: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.606430 216.189.xx.xxv.1325 > 0.0.0.0.ingres-net: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.607030 216.189.xx.xxe.servexec > 0.0.0.0.loc-srv: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.607617 216.189.xx.xxa.iclpv-nlc > 0.0.0.0.profile: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.608235 216.189.xx.xxo.1217 > 0.0.0.0.netbios-ns: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609142 216.189.xx.xxg.1953 > 0.0.0.0.netbios-dgm: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609722 216.189.xx.xxa.1846 > 0.0.0.0.netbios-ssn: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609998 www.ntatesting.com.ica > 0.0.0.0.6300: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.610531 216.189.xx.xxg.1219 > 0.0.0.0.tcpmux: S 674711609:674711609(0) win 65535 (DF) [ttl 1] I have xxx'ed out the IP's but what's important to notice is that they all from from the same /24 netblock, which we maintain. Is this someone's NIC gone haywire or some packetkiddy trying to ruin my weekend? Something else? Thanks for any ideas... John Straiton jks@clickcom.com Clickcom, Inc 704-365-9970x101 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message