From owner-freebsd-isp  Tue Apr 24 12:44: 7 2001
Delivered-To: freebsd-isp@freebsd.org
Received: from smtp.kka.com (smtp.kka.com [63.141.65.2])
	by hub.freebsd.org (Postfix) with ESMTP id 7FF0E37B423
	for <freebsd-isp@freebsd.org>; Tue, 24 Apr 2001 12:44:02 -0700 (PDT)
	(envelope-from Eric_Stanfield@kenokozie.com)
Subject: Re: IPFW ? hacked?
To: "alex huppenthal" <alex@aspenworks.com>
Cc: freebsd-isp@freebsd.org
X-Mailer: Lotus Notes Release 5.0.2a  November 23, 1999
Message-ID: <OFDE8B68AA.F1E94189-ON86256A38.006C0EA7@kka.com>
From: Eric_Stanfield@kenokozie.com
Date: Tue, 24 Apr 2001 14:43:19 -0500
X-MIMETrack: Serialize by Router on Notes1st/Keno(Release 5.0.4 |June 8, 2000) at 04/24/2001
 02:43:25 PM
MIME-Version: 1.0
Content-type: text/plain; charset=us-ascii
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


I would do:

[exs@mrtg]> sockstat -4u |more

and see what process is talking to that address.  I set up a linux box not
to long ago and before I got back to it to tighten it down, some punk from
an Israeli dsl provider rooted it and set up an app that would let him
access the box.  The process he loaded changed its name in ps to something
harmless like cron or something (I don't recall) and had I not looked at
netstat (which shows more on a linux box) I would never have found out what
happened.

I really hope you didn't get rooted as one of the main reasons I go about
preaching the goodness of all things freebsd is that I've never had a bsd
box hacked.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Eric Stanfield, K2Access
Keno Kozie Associates
222 N LaSalle #1500
Chicago, IL 60606
(312) 332-3000




                                                                                                                         
                    "alex huppenthal"                                                                                    
                    <alex@aspenworks.co        To:     "free" <freebsd-isp@FreeBSD.ORG>                                  
                    m>                         cc:                                                                       
                    Sent by:                   Subject:     IPFW ? hacked?                                               
                    owner-freebsd-isp@F                                                                                  
                    reeBSD.ORG                                                                                           
                                                                                                                         
                                                                                                                         
                    04/24/01 02:32 PM                                                                                    
                                                                                                                         
                                                                                                                         



I setup a pipe - number 5, and set the bandwidth to 20Mbits.

Interestingly, I see 205.149.189.91 as a destination IP address at port
5999
collecting data from x.x.18.3

I don't know 205.149.189.91 or have any process running to that site.
However, the numbers are increasing.

Anyone seen this behavior?

00005:  20.000 Mbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte
Drp
  0 tcp       x.x.18.3/1027   205.149.189.91/5999  76043 19344253  0    0
0



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message