From owner-freebsd-questions@FreeBSD.ORG Thu Nov 25 09:35:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD9D916A4CE for ; Thu, 25 Nov 2004 09:35:16 +0000 (GMT) Received: from web51104.mail.yahoo.com (web51104.mail.yahoo.com [206.190.38.146]) by mx1.FreeBSD.org (Postfix) with SMTP id 61D5043D5D for ; Thu, 25 Nov 2004 09:35:16 +0000 (GMT) (envelope-from dino_vliet@yahoo.com) Received: (qmail 3563 invoked by uid 60001); 25 Nov 2004 09:35:15 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=wRO1KpzDX9U66XW9pfCkKrlMSLbQWtxAicRXvhFb3j4T2h3XLC9jkZvAV5Wh1ensAea4KnWXhM3prJp4BbFwyCCTCbvbG5e8oQztz6sKXDQgdI3f/4Ls4YQ6uw/OyxPemVnkIJwcKuOogmEW/86N+qJBwguf4awbZ5PEC6E3u2I= ; Message-ID: <20041125093515.3557.qmail@web51104.mail.yahoo.com> Received: from [130.37.20.20] by web51104.mail.yahoo.com via HTTP; Thu, 25 Nov 2004 01:35:15 PST Date: Thu, 25 Nov 2004 01:35:15 -0800 (PST) From: Dino Vliet To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Help...am I being hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2004 09:35:17 -0000 Hi all, I'm using freebsd 4.10 on my laptop and I was browsing my filesystem and looking at some log files, when I stumbled into the file dmesg.yesterday in /var/log/ The contents of this file worried me. Take a look at the last lines of it: Connection attempt to TCP 192.168.1.101:5554 from 220.147.188.223:4970 flags:0x02 Connection attempt to TCP 192.168.1.101:9898 from 220.147.188.223:1288 flags:0x02 Connection attempt to TCP 192.168.1.101:21 from 168.126.102.33:57216 flags:0x02 Connection attempt to UDP 192.168.1.101:1026 from 222.88.173.5:31889 Connection attempt to TCP 192.168.1.101:9898 from 67.1.4.194:3161 flags:0x02 But my IP on this machine starts with 130. But I recognize these IP's (192.168.1.101), because at home I'm using a e-tech router and it assigns me through DHCP 192.168.1.* as ip address every time I connect my laptop with this. At the campus, I'm also using dhcp to connect to the network. However, lately I haven't used my router at home and was only connecting through the network at the campus. There I get the ip address 130.37.28.112. I have removed the old dhcp.leases in /var/db that had the information of my e-tech router. I am using ipfw too now, but still it would be convenient to know where to look for hack attempts and look for log files which give information about connection attempts from outside. Thanks in advance Dino Vliet __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com