From owner-freebsd-questions@FreeBSD.ORG Thu Nov 25 22:10:34 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6922316A4DC for ; Thu, 25 Nov 2004 22:10:34 +0000 (GMT) Received: from lakermmtao10.cox.net (lakermmtao10.cox.net [68.230.240.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0A9A43D55 for ; Thu, 25 Nov 2004 22:10:33 +0000 (GMT) (envelope-from conrads@cox.net) Received: from dolphin.local.net ([68.11.30.24]) by lakermmtao10.cox.net (InterMail vM.6.01.04.00 201-2131-117-20041022) with ESMTP id <20041125221031.BSF22973.lakermmtao10.cox.net@dolphin.local.net>; Thu, 25 Nov 2004 17:10:31 -0500 Received: from dolphin.local.net (localhost.local.net [127.0.0.1]) by dolphin.local.net (8.13.1/8.13.1) with ESMTP id iAPMAW6k073682; Thu, 25 Nov 2004 16:10:32 -0600 (CST) (envelope-from conrads@dolphin.local.net) Received: (from conrads@localhost) by dolphin.local.net (8.13.1/8.13.1/Submit) id iAPMARuR073681; Thu, 25 Nov 2004 16:10:27 -0600 (CST) (envelope-from conrads) From: "Conrad J. Sabatier" To: Dino Vliet In-Reply-To: <20041125093515.3557.qmail@web51104.mail.yahoo.com> References: <20041125093515.3557.qmail@web51104.mail.yahoo.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Evolution-Format: text/plain X-Evolution-Account: conrads@cox.net X-Evolution-Transport: smtp://conrads@localhost X-Evolution-Fcc: email://local@local/Sent Organization: A Rag-Tag Band of Drug-Crazed Hippies X-Mailer: Evolution 2.0.2 FreeBSD GNOME Team Port Date: Thu, 25 Nov 2004 11:24:54 -0600 Message-Id: <1101403494.63632.8.camel@dolphin.local.net> Mime-Version: 1.0 X-Evolution: 0000000a-0010 cc: freebsd-questions@freebsd.org Subject: Re: Help...am I being hacked? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: conrads@cox.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Nov 2004 22:10:34 -0000 On Thu, 2004-11-25 at 01:35 -0800, Dino Vliet wrote: > Hi all, > > I'm using freebsd 4.10 on my laptop and I was browsing > my filesystem and looking at some log files, when I > stumbled into the file dmesg.yesterday in /var/log/ > > The contents of this file worried me. Take a look at > the last lines of it: > > Connection attempt to TCP 192.168.1.101:5554 from > 220.147.188.223:4970 flags:0x02 > Connection attempt to TCP 192.168.1.101:9898 from > 220.147.188.223:1288 flags:0x02 > Connection attempt to TCP 192.168.1.101:21 from > 168.126.102.33:57216 flags:0x02 > Connection attempt to UDP 192.168.1.101:1026 from > 222.88.173.5:31889 > Connection attempt to TCP 192.168.1.101:9898 from > 67.1.4.194:3161 flags:0x02 These merely indicate connection *attempts*, not actual successful connections to your machine. They don't mean you've been "hacked". > But my IP on this machine starts with 130. > > But I recognize these IP's (192.168.1.101), because at > home I'm using a e-tech router and it assigns me > through DHCP 192.168.1.* as ip address every time I > connect my laptop with this. At the campus, I'm also > using dhcp to connect to the network. However, lately > I haven't used my router at home and was only > connecting through the network at the campus. There I > get the ip address 130.37.28.112. > > I have removed the old dhcp.leases in /var/db that had > the information of my e-tech router. > > I am using ipfw too now, but still it would be > convenient to know where to look for hack attempts and > look for log files which give information about > connection attempts from outside. /var/log/security, /var/log/ipfw.*, /var/log/messages, and so on. With a more "stealthy" firewall setup, you wouldn't even be seeing these connection attempt logs, as these outsiders would never even manage to reach your machine at all. -- Conrad J. Sabatier -- conrads@cox.net -- "In Unix veritas"