From owner-freebsd-current Tue Apr 9 00:50:57 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id AAA18738 for current-outgoing; Tue, 9 Apr 1996 00:50:57 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id AAA18732 for ; Tue, 9 Apr 1996 00:50:48 -0700 (PDT) Received: from sax.sax.de by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id JAA12186 for ; Tue, 9 Apr 1996 09:50:46 +0200 Received: by sax.sax.de (8.6.11/8.6.12-s1) with UUCP id JAA02037 for freebsd-current@FreeBSD.org; Tue, 9 Apr 1996 09:50:45 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id JAA08067 for freebsd-current@FreeBSD.org; Tue, 9 Apr 1996 09:36:39 +0200 (MET DST) From: J Wunsch Message-Id: <199604090736.JAA08067@uriah.heep.sax.de> Subject: Re: routed delete my PPP default: how to fight it? To: freebsd-current@FreeBSD.org (FreeBSD-current users) Date: Tue, 9 Apr 1996 09:36:39 +0200 (MET DST) Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199604090621.XAA03064@silvia.HIP.Berkeley.EDU> from "Satoshi Asami" at Apr 8, 96 11:21:10 pm X-Phone: +49-351-2012 669 X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-current@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk As Satoshi Asami wrote: > Here's all the stuff that's in the kernel's message buffer. It > doesn't overflow anything, it happens only intermittently (this many > in ~2 days). By the way, 3128 is the port for the HTTP proxy running > on another machine (128.32.38.224), it could have something to do with > me running netscape during these times. > Connection attempt to TCP 136.152.64.181:113 from 136.152.64.181:60781 > Connection attempt to TCP 136.152.64.181:113 from 136.152.64.181:3818 That's ``auth''. I've always wondered at my machine at work (where i tcpdump all traffic that's going through the Internet router) who is connecting to this port. It's also somehow related to sendmail. Does anybody know more about ``auth''? > Connection attempt to UDP 136.152.64.181:1624 from 136.152.64.181:53 > Connection attempt to UDP 136.152.64.181:1625 from 136.152.64.181:53 > Connection attempt to UDP 136.152.64.181:1626 from 136.152.64.181:53 > Connection attempt to UDP 136.152.64.181:1645 from 136.152.64.181:53 > Connection attempt to UDP 136.152.64.181:1647 from 136.152.64.181:53 Looks like a reply for a DNS query, where the querying process has been terminated before the answer arrived. Traceroute attempts should cause a similar pattern, but with higher portnumbers. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)