From owner-freebsd-net Thu Dec 6 19:34:58 2001 Delivered-To: freebsd-net@freebsd.org Received: from haggis.it.ca (haggis.it.ca [216.126.86.9]) by hub.freebsd.org (Postfix) with ESMTP id D597A37B41B for ; Thu, 6 Dec 2001 19:34:50 -0800 (PST) Received: (from paul@localhost) by haggis.it.ca (8.11.6/8.11.6) id fB6EhPU01485 for freebsd-net@FreeBSD.ORG; Thu, 6 Dec 2001 09:43:25 -0500 (EST) (envelope-from paul) Date: Thu, 6 Dec 2001 09:43:25 -0500 From: Paul Chvostek To: freebsd-net@FreeBSD.ORG Subject: log_in_vain Message-ID: <20011206094325.A434@mail.it.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For the fun of it, I turned on log_in_vain. And I'm seeing *lots* of stuff one might expect (port scans, Nimda poking at my mail server, SMTP to the web server, etc). But I'm also seeing stuff I don't expect, primarily in the areas of DNS and localhost traffic. For example: Dec 6 08:15:39 schplict /kernel: Connection attempt to UDP 216.126.86.8:1262 from 216.126.86.2:53 and Dec 6 08:35:37 haggis /kernel: Connection attempt to UDP 216.126.86.9:1044 from 216.126.86.2:53 and Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1054 Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1058 Dec 6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1063 Dec 6 08:34:45 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1067 The host at 216.126.86.2 is the first nameserver in the resolv.conf of the both haggis and schplict. It looks to me as if the name server is sending responses back to DNS queries which for some reason haven't waited around. And as far as I know I'm not running biff on haggis. The frequency of the hits makes it look as if it's running something every time ... something ... gets launched. But biff's not in any .profile, .cshrc or .login. So I'm left scratching my head. Can anybody shed some light on this? -- Paul Chvostek Operations / Development / Abuse / Whatever vox: +1 416 598-0000 IT Canada http://www.it.ca/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message