From owner-freebsd-questions@freebsd.org Thu Feb 9 20:40:48 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7106ECD8A08 for ; Thu, 9 Feb 2017 20:40:48 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay12.qsc.de (mailrelay12.qsc.de [212.99.163.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D957D186E for ; Thu, 9 Feb 2017 20:40:47 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay12.qsc.de; Thu, 09 Feb 2017 21:43:41 +0100 Received: from r56.edvax.de (port-92-195-22-222.dynamic.qsc.de [92.195.22.222]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 472233CBF9; Thu, 9 Feb 2017 21:40:22 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v19KeMr7005937; Thu, 9 Feb 2017 21:40:22 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 9 Feb 2017 21:40:22 +0100 From: Polytropon To: sixto areizaga Cc: freebsd-questions@freebsd.org Subject: Re: wireshark issue Message-Id: <20170209214022.472b0673.freebsd@edvax.de> In-Reply-To: <20170209143258.3e560e02@newer.home> References: <20170209143258.3e560e02@newer.home> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay12.qsc.de with DED9F6BFB9A X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.1889 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Feb 2017 20:40:48 -0000 On Thu, 9 Feb 2017 14:32:58 -0500, sixto areizaga wrote: > I was working on a webpage [that isn't up yet] no outside connections > established, I started apache [from computer #1], started wireshark > [same node] and opened firefox [computer #2] and for the url I did a > 192.168.etc.etc > > looking though packets transfered there was a transfer from outside my network - (the > ip might be in China) - it used putty [with sshv2] to get a > server/client key exchange. When you listen on a specific interface, Wireshark will display all traffic for that interface (except you apply a filter). So you're observing _two_ things at the same time which probably aren't related: First is the web site you're testing inside the LAN, second is an incomming SSH connection attempt from exterior. For testing your web site, temporarily add a filter for the traffic in your LAN. Then, as a "second project", check the SSH thing. It probably is just an automated search for unsecured SSH accounts, performed by botnets. > it looked like a mobile device running a script except using putty That is quite possible. It could be a member of a mobile botnet (which seem to become more common, even though the preferred kind of botnet is still a fleet of office PCs running "Windows"). > anyone have a similar problem? No. Should I? ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...