From owner-freebsd-stable Fri Aug 3 6:32:20 2001 Delivered-To: freebsd-stable@freebsd.org Received: from pump3.york.ac.uk (pump3.york.ac.uk [144.32.128.131]) by hub.freebsd.org (Postfix) with ESMTP id 8250E37B407 for ; Fri, 3 Aug 2001 06:32:11 -0700 (PDT) (envelope-from gavin.atkinson@ury.york.ac.uk) Received: from ury.york.ac.uk (ury.york.ac.uk [144.32.108.81]) by pump3.york.ac.uk (8.10.2/8.10.2) with ESMTP id f73DW9822003; Fri, 3 Aug 2001 14:32:10 +0100 (BST) Received: from localhost (gavin@localhost) by ury.york.ac.uk (8.11.3/8.11.3) with ESMTP id f73DW9K61568; Fri, 3 Aug 2001 14:32:09 +0100 (BST) (envelope-from gavin.atkinson@ury.york.ac.uk) X-Authentication-Warning: ury.york.ac.uk: gavin owned process doing -bs Date: Fri, 3 Aug 2001 14:32:09 +0100 (BST) From: Gavin Atkinson To: ADiNA Cc: Subject: Re: Also weird packet (Was: weird packet ... anyone) In-Reply-To: <20010803021033.57267.qmail@web13301.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Doesn't really belong in stable, but... On Thu, 2 Aug 2001, ADiNA wrote: > while i have the same condition as Vlad, it did not stopped there. i > almost got the message everyday; > > Connection attempt to UDP 203.106.241.163:1331 from 203.106.241.168:53 > Connection attempt to UDP 203.106.241.163:1337 from 203.106.241.168:53 > Connection attempt to UDP 203.106.241.163:1340 from 203.106.241.168:53 I get the same thing - i believe these are harmless. 203.106.241.168 will be your DNS server. Some DNS servers do try to reverse-connect... don't know why. > later on, i got these ... > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2027 > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2032 > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2032 > Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:2041 > .... Sendmail attempting to connect back to thelocalhost's 'biff' service (comsat) which runs on UDP port 512. Harmless. > i ignore the messages, and only yesterday that one person admitted he'd > been in my system for almost three weeks monitoring mails!!! I'm certain the above messages are unconnected to anybody having access to your system. Compare /var/log/messages with /var/log/maillog - each of the connection attempts to port 512 will correspond with a local user receiving mail. As for the others, using nslookup will reveal them errors. THey are nothing to do with somebody having compromised your box. As for that, your easiest option is to re-install from a known-good source (maybe a -RELEASE burned from the ISO?) Gavin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message