From owner-freebsd-net  Fri Dec  7  0:24:50 2001
Delivered-To: freebsd-net@freebsd.org
Received: from relay1.macomnet.ru (relay1.macomnet.ru [195.128.64.10])
	by hub.freebsd.org (Postfix) with ESMTP id EE3DC37B417
	for <freebsd-net@FreeBSD.ORG>; Fri,  7 Dec 2001 00:24:46 -0800 (PST)
Received: from news1.macomnet.ru (maxim@news1.macomnet.ru [195.128.64.14])
	by relay1.macomnet.ru (8.11.3/8.11.3) with ESMTP id fB78OdO1697421;
	Fri, 7 Dec 2001 11:24:40 +0300 (MSK)
Date: Fri, 7 Dec 2001 11:24:39 +0300 (MSK)
From: Maxim Konovalov <maxim@macomnet.ru>
To: Paul Chvostek <paul@it.ca>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: log_in_vain
In-Reply-To: <20011206094325.A434@mail.it.ca>
Message-ID: <20011207112237.M10311-100000@news1.macomnet.ru>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org


Hello,

On Thu, 6 Dec 2001, Paul Chvostek wrote:

>
> For the fun of it, I turned on log_in_vain.  And I'm seeing *lots* of
> stuff one might expect (port scans, Nimda poking at my mail server,
> SMTP to the web server, etc).  But I'm also seeing stuff I don't expect,
> primarily in the areas of DNS and localhost traffic.  For example:
>
> Dec  6 08:15:39 schplict /kernel: Connection attempt to UDP 216.126.86.8:1262 from 216.126.86.2:53
>
> and
>
> Dec  6 08:35:37 haggis /kernel: Connection attempt to UDP 216.126.86.9:1044 from 216.126.86.2:53
>
> and
>
> Dec  6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1054
> Dec  6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1058
> Dec  6 08:34:44 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1063
> Dec  6 08:34:45 haggis /kernel: Connection attempt to UDP 127.0.0.1:512 from 127.0.0.1:1067
>
> The host at 216.126.86.2 is the first nameserver in the resolv.conf of
> the both haggis and schplict.  It looks to me as if the name server is
> sending responses back to DNS queries which for some reason haven't
> waited around.

because of request timeout.

> And as far as I know I'm not running biff on haggis.  The frequency of
> the hits makes it look as if it's running something every time ...
> something ... gets launched.  But biff's not in any .profile, .cshrc or
> .login.  So I'm left scratching my head.

man 8 mail.local will help.

> Can anybody shed some light on this?

-- 
Maxim Konovalov, MAcomnet, Internet-Intranet Dept., system engineer
phone: +7 (095) 796-9079, mailto: maxim@macomnet.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message