From owner-freebsd-questions@FreeBSD.ORG Tue Nov 9 21:53:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA49D16A4CE for ; Tue, 9 Nov 2004 21:53:39 +0000 (GMT) Received: from mail1.panix.com (mail1.panix.com [166.84.1.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84E2943D2D for ; Tue, 9 Nov 2004 21:53:39 +0000 (GMT) (envelope-from fj@panix.com) Received: from panix5.panix.com (panix5.panix.com [166.84.1.5]) by mail1.panix.com (Postfix) with ESMTP id 82E9F58A27; Tue, 9 Nov 2004 16:53:21 -0500 (EST) Received: (from fj@localhost) by panix5.panix.com (8.11.6p3/8.8.8/PanixN1.1) id iA9LrBe08750; Tue, 9 Nov 2004 16:53:11 -0500 (EST) Date: Tue, 9 Nov 2004 16:53:11 -0500 From: Joe Altman To: Jorn Argelo Message-ID: <20041109215311.GA15288@panix.com> References: <20041108100954.M66265@wcborstel.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20041108100954.M66265@wcborstel.nl> User-Agent: Mutt/1.4.2.1i cc: questions@freebsd.org Subject: Re: Strange netstat output X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Nov 2004 21:53:40 -0000 On Mon, Nov 08, 2004 at 11:20:03AM +0100, Jorn Argelo wrote: > Hi folks, > > Recently I took notice about a strange netstat output within my LAN: > > [jorn@www] ~> netstat -ra > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default ACA80101.ipt.aol.c UGS 0 156153 rl0 > localhost localhost UH 2 539754 lo0 > ACA80100.ipt.aol.c link#1 UC 0 0 rl0 > ACA80101.ipt.aol.c 00:09:5b:a7:a4:3e UHLW 1 3918 rl0 790 > ACA80102.ipt.aol.c 00:10:a7:0d:6f:7f UHLW 0 325 rl0 1193 > ACA80104.ipt.aol.c localhost UGHS 0 0 lo0 > ACA801FF.ipt.aol.c ff:ff:ff:ff:ff:ff UHLWb 0 1091 rl0 > 192.168.2.105 localhost UGHS 0 0 lo0 > > > The ipt.aol.com is the one that's the problem. If I ping it, it returns this: > > > PING ACA80102.ipt.aol.com (172.168.1.2): 56 data bytes > 64 bytes from 172.168.1.2: icmp_seq=0 ttl=64 time=0.120 ms > 64 bytes from 172.168.1.2: icmp_seq=1 ttl=64 time=0.149 ms > 64 bytes from 172.168.1.2: icmp_seq=2 ttl=64 time=0.149 ms > ^C > --- ACA80102.ipt.aol.com ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.120/0.139/0.149/0.014 ms > [jorn@www] ~> > > Which is my internal IP adress. If I ping ACA80104, it goes to 172.168.1.4. If > I ping ACA80100, it says 172.168.1.100 and ACA801FF is the 172.168.1.255 > address (the broadcast address, if I recall my Cisco classes correctly). Are you saying that you've used 172.168.1.2 for a host on your LAN? If so: 04:43 PM: whois -h whois.arin.net 172.168.1.2 OrgName: America Online OrgID: AOL Address: 22000 AOL Way City: Dulles StateProv: VA PostalCode: 20166 Country: US NetRange: 172.128.0.0 - 172.191.255.255 CIDR: 172.128.0.0/10 The ipt machines are clients using AOL for connetivity, IIACI. I think you mean to use: 172.16.0.0 through 172.31.255.255 > The 192.168.1.105 address is rather strange as well, because I'm not using > that range on the router's DHCP server (Netgear FVS318, in case you want to know) > > So my question is, what are these? My firewall log (on the router) is showing > some major blocking on port 445 and 135. It's not like one IP address is doing > all the bad stuff; most of them are just random grabs from virus infected > machines. -- One million points of light shining on the new world-order model for fascism and tyranny. Get in line.