Date: Fri, 21 Jun 2002 16:28:12 -0400 From: "John Straiton" <jks@clickcom.com> To: <freebsd-questions@freebsd.org> Subject: OT: Bizarre tcplog messages. Connects going to 0.0.0.0? Message-ID: <003d01c21962$2d4018e0$fe16c60a@win2k.clickcom.com>
next in thread | raw e-mail | index | archive | help
I hope someone can shed some light on this one because it's stumped everyone I know personally, a bit off topic but my BSD boxes are all that has let me know there's a problem up till now: This week we began seeing a very bizarre behavior on our FreeBSD machines. They all have "log_in_vain" turned on. I started getting messages like Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:10 from 216.189.xx.xxe:1744 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:11 from 216.189.xx.xxf:1229 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:12 from 216.189.xx.xxg:1929 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:13 from 216.189.xx.xxe:1201 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:14 from 216.189.xx.xxl:2014 Jun 20 12:40:12 human /kernel: Connection attempt to TCP 0.0.0.0:15 from 216.189.xx.xxj:1660 While I did x out the IP that's listed, I didn't change the first one. It really did say 0.0.0.0. I got a number of these messages in the syslog, but it all stopped about 15 seconds later. They would start targeting at port #1 and increment to port #138, then restart. So I got a tcpdump ready ( tcpdump host 0.0.0.0 > errors.txt )and the next time it happened, I captured over 4MB of traffic in seconds. Here are some lines from that capture: 14:23:49.604591 216.189.xx.xxw.1308 > 0.0.0.0.cisco-tna: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.605143 216.189.xx.xxz.1321 > 0.0.0.0.cisco-sys: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.605776 216.189.xx.xxy.1918 > 0.0.0.0.statsrv: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.606430 216.189.xx.xxv.1325 > 0.0.0.0.ingres-net: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.607030 216.189.xx.xxe.servexec > 0.0.0.0.loc-srv: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.607617 216.189.xx.xxa.iclpv-nlc > 0.0.0.0.profile: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.608235 216.189.xx.xxo.1217 > 0.0.0.0.netbios-ns: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609142 216.189.xx.xxg.1953 > 0.0.0.0.netbios-dgm: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609722 216.189.xx.xxa.1846 > 0.0.0.0.netbios-ssn: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.609998 www.ntatesting.com.ica > 0.0.0.0.6300: S 674711609:674711609(0) win 65535 (DF) [ttl 1] 14:23:49.610531 216.189.xx.xxg.1219 > 0.0.0.0.tcpmux: S 674711609:674711609(0) win 65535 (DF) [ttl 1] I have xxx'ed out the IP's but what's important to notice is that they all from from the same /24 netblock, which we maintain. Is this someone's NIC gone haywire or some packetkiddy trying to ruin my weekend? Something else? Thanks for any ideas... John Straiton jks@clickcom.com Clickcom, Inc 704-365-9970x101 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003d01c21962$2d4018e0$fe16c60a>