From owner-freebsd-questions Tue Nov 6 8:39:29 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ares.blahz.ab.ca (ares.blahz.ab.ca [24.64.93.163]) by hub.freebsd.org (Postfix) with SMTP id 4B3F037B405 for ; Tue, 6 Nov 2001 08:39:23 -0800 (PST) Received: (qmail 8284 invoked by uid 508); 6 Nov 2001 16:39:24 -0000 Received: from bsd-lists@blahz.ab.ca by ares.blahz.ab.ca with qmail-scanner-1.01 (sweep: 2.6/3.50. . Clean. Processed in 1.111633 secs); 06 Nov 2001 16:39:24 -0000 Received: from unknown (HELO zeus) (24.64.93.30) by ares.blahz.ab.ca with SMTP; 6 Nov 2001 16:39:23 -0000 From: "Mike Roest" To: "'Tim Wilde'" , "'Chris'" Cc: Subject: RE: Have I been hacked? Date: Tue, 6 Nov 2001 09:39:45 -0700 Message-ID: <000501c166e1$a76bd020$1e5d4018@zeus> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3311 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Yep Tim, That is what a regular DHCP request looks like. The most likely thing is that somewhere on the network that this machine is connected to a comp is trying to get an IP via DHCP. Since DHCP requests go out on broadcast any machine hooked to the same segment will see that request. So there really isn't anything to worry about with this Chris. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG] On Behalf Of Tim Wilde Sent: Tuesday, November 06, 2001 8:19 AM To: Chris Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Have I been hacked? > That is the problem. The IP addresses listed here are > real. I have no machine with an IP of 0.0.0.0,68. It > is going from my firewall to the inside of my > network. > It looks like something on the firewall is looking for > a dhcp server. The IP 0.0.0.0 looks very suspicious > to me. I'm no expert on DHCP, but I'm relatively sure that'd be what a normal DHCP request would look like - the box requesting a DHCP lease doesn't have an IP address, so it sends it's DHCP discovery packet off with a source of 0.0.0.0 and a destination of 255.255.255.255 (the ethernet broadcast, unless I'm mistaken), UDP port 67. If you don't have anything that should be requesting a DHCP lease, that could be a problem, but if you're running dhclient anywhere, it's probably normal. Tim -- Tim Wilde twilde@dyndns.org Systems Administrator Dynamic DNS Network Services http://www.dyndns.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message