Date: Tue, 24 Apr 2001 14:43:19 -0500 From: Eric_Stanfield@kenokozie.com To: "alex huppenthal" <alex@aspenworks.com> Cc: freebsd-isp@freebsd.org Subject: Re: IPFW ? hacked? Message-ID: <OFDE8B68AA.F1E94189-ON86256A38.006C0EA7@kka.com>
next in thread | raw e-mail | index | archive | help
I would do: [exs@mrtg]> sockstat -4u |more and see what process is talking to that address. I set up a linux box not to long ago and before I got back to it to tighten it down, some punk from an Israeli dsl provider rooted it and set up an app that would let him access the box. The process he loaded changed its name in ps to something harmless like cron or something (I don't recall) and had I not looked at netstat (which shows more on a linux box) I would never have found out what happened. I really hope you didn't get rooted as one of the main reasons I go about preaching the goodness of all things freebsd is that I've never had a bsd box hacked. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Eric Stanfield, K2Access Keno Kozie Associates 222 N LaSalle #1500 Chicago, IL 60606 (312) 332-3000 "alex huppenthal" <alex@aspenworks.co To: "free" <freebsd-isp@FreeBSD.ORG> m> cc: Sent by: Subject: IPFW ? hacked? owner-freebsd-isp@F reeBSD.ORG 04/24/01 02:32 PM I setup a pipe - number 5, and set the bandwidth to 20Mbits. Interestingly, I see 205.149.189.91 as a destination IP address at port 5999 collecting data from x.x.18.3 I don't know 205.149.189.91 or have any process running to that site. However, the numbers are increasing. Anyone seen this behavior? 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 0 0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFDE8B68AA.F1E94189-ON86256A38.006C0EA7>