Date: Tue, 24 Apr 2001 13:52:28 -0600 From: "alex huppenthal" <alex@aspenworks.com> To: <Eric_Stanfield@kenokozie.com> Cc: <freebsd-isp@freebsd.org> Subject: Re: IPFW ? hacked? Message-ID: <007001c0ccf8$18ccbb00$c800a8c0@aspenworks.com> References: <OFDE8B68AA.F1E94189-ON86256A38.006C0EA7@kka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks, I don't see the 5999 port address listed. yet, the packet count continues to grow. The data is of no use, it's just compressed webpages, but it concerns me that the BSD router between the Internet and target system has this interesting listing. I setup a pipe to limit bandwidth to the target machine, and to watch. BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 tcp 205.149.189.91/5999 66.28.18.3/1027 123814 103707137 0 0 0 Checking http://205.149.189.91/ Doesn't give me a warm and fuzzy feeling. ----- Original Message ----- From: <Eric_Stanfield@kenokozie.com> To: "alex huppenthal" <alex@aspenworks.com> Cc: <freebsd-isp@freebsd.org> Sent: Tuesday, April 24, 2001 1:43 PM Subject: Re: IPFW ? hacked? > > I would do: > > [exs@mrtg]> sockstat -4u |more > > and see what process is talking to that address. I set up a linux box not > to long ago and before I got back to it to tighten it down, some punk from > an Israeli dsl provider rooted it and set up an app that would let him > access the box. The process he loaded changed its name in ps to something > harmless like cron or something (I don't recall) and had I not looked at > netstat (which shows more on a linux box) I would never have found out what > happened. > > I really hope you didn't get rooted as one of the main reasons I go about > preaching the goodness of all things freebsd is that I've never had a bsd > box hacked. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Eric Stanfield, K2Access > Keno Kozie Associates > 222 N LaSalle #1500 > Chicago, IL 60606 > (312) 332-3000 > > > > > > "alex huppenthal" > <alex@aspenworks.co To: "free" <freebsd-isp@FreeBSD.ORG> > m> cc: > Sent by: Subject: IPFW ? hacked? > owner-freebsd-isp@F > reeBSD.ORG > > > 04/24/01 02:32 PM > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > Interestingly, I see 205.149.189.91 as a destination IP address at port > 5999 > collecting data from x.x.18.3 > > I don't know 205.149.189.91 or have any process running to that site. > However, the numbers are increasing. > > Anyone seen this behavior? > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte > Drp > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 0 > 0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007001c0ccf8$18ccbb00$c800a8c0>