From owner-freebsd-isp Tue Apr 24 12:59:26 2001 Delivered-To: freebsd-isp@freebsd.org Received: from aspenworks.com (aspenworks.com [192.94.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 857D537B42C for ; Tue, 24 Apr 2001 12:59:21 -0700 (PDT) (envelope-from alex@aspenworks.com) Received: from ibmxeon (matrix.aspenworks.com [216.38.199.82]) by aspenworks.com (8.9.3/8.9.3) with SMTP id NAA43860; Tue, 24 Apr 2001 13:59:01 -0600 (MDT) (envelope-from alex@aspenworks.com) Message-ID: <007b01c0ccf9$01b228f0$c800a8c0@aspenworks.com> From: "alex huppenthal" To: , Cc: References: Subject: Re: IPFW ? hacked? Date: Tue, 24 Apr 2001 13:58:49 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yea, well, seems pretty funky to me.. Here's the owner of the IP address: A phone call to the number listed simply yields a fast-busy. HackerDome, Inc. (RDY-DOM) 707 Continental circle, #1634 Mountain View, CA 94040 US Domain Name: RDY.COM Administrative Contact, Technical Contact, Billing Contact: Ruban, Dima (DR7362) dima@RDY.COM Ruban Consulting, Inc. 707 Continental circle, #1634 Mountain View,, CA 94040 (415) 730-0648 ----- Original Message ----- From: To: "alex huppenthal" Cc: Sent: Tuesday, April 24, 2001 1:43 PM Subject: Re: IPFW ? hacked? > > I would do: > > [exs@mrtg]> sockstat -4u |more > > and see what process is talking to that address. I set up a linux box not > to long ago and before I got back to it to tighten it down, some punk from > an Israeli dsl provider rooted it and set up an app that would let him > access the box. The process he loaded changed its name in ps to something > harmless like cron or something (I don't recall) and had I not looked at > netstat (which shows more on a linux box) I would never have found out what > happened. > > I really hope you didn't get rooted as one of the main reasons I go about > preaching the goodness of all things freebsd is that I've never had a bsd > box hacked. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Eric Stanfield, K2Access > Keno Kozie Associates > 222 N LaSalle #1500 > Chicago, IL 60606 > (312) 332-3000 > > > > > > "alex huppenthal" > > m> cc: > Sent by: Subject: IPFW ? hacked? > owner-freebsd-isp@F > reeBSD.ORG > > > 04/24/01 02:32 PM > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > Interestingly, I see 205.149.189.91 as a destination IP address at port > 5999 > collecting data from x.x.18.3 > > I don't know 205.149.189.91 or have any process running to that site. > However, the numbers are increasing. > > Anyone seen this behavior? > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte > Drp > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 0 > 0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message