Date: Thu, 6 Dec 2001 09:43:25 -0500 From: Paul Chvostek <paul@it.ca> To: freebsd-net@FreeBSD.ORG Subject: log_in_vain Message-ID: <20011206094325.A434@mail.it.ca>
next in thread | raw e-mail | index | archive | help
For the fun of it, I turned on log_in_vain. And I'm seeing *lots* of stuff one might expect (port scans, Nimda poking at my mail server, SMTP to the web server, etc). But I'm also seeing stuff I don't expect, primarily in the areas of DNS and localhost traffic. For example: Dec 6 08:15:39 schplict /kernel: Connection attempt to UDP 216.126.86.8:1262 from 216.126.86.2:53 and Dec 6 08:35:37 haggis /kernel: Connection attempt to UDP 216.126.86.9:1044 from 216.126.86.2:53 and Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1054 Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1058 Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1063 Dec 6 08:34:45 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1067 The host at 216.126.86.2 is the first nameserver in the resolv.conf of the both haggis and schplict. It looks to me as if the name server is sending responses back to DNS queries which for some reason haven't waited around. And as far as I know I'm not running biff on haggis. The frequency of the hits makes it look as if it's running something every time ... something ... gets launched. But biff's not in any .profile, .cshrc or .login. So I'm left scratching my head. Can anybody shed some light on this? -- Paul Chvostek <paul@it.ca> Operations / Development / Abuse / Whatever vox: +1 416 598-0000 IT Canada http://www.it.ca/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011206094325.A434>