Date: Tue, 24 Apr 2001 14:03:31 -0600 From: "alex huppenthal" <alex@aspenworks.com> To: <pechter@ureach.com>, <Eric_Stanfield@kenokozie.com> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: Hacked, nah probably cvsup. Message-ID: <008101c0ccf9$a3bc8d20$c800a8c0@aspenworks.com> References: <200104242001.QAA18631@www20.ureach.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I have, but it's set to run at 4AM. Strange, and I didn't see a cvsup proc running anywhere. Thanks for the info. Perhaps its all just a bit of confusion on my part. Sorry if that's it. -Alex ----- Original Message ----- From: "Bill Pechter" <pechter@ureach.com> To: "alex huppenthal" <alex@aspenworks.com>; <Eric_Stanfield@kenokozie.com> Cc: <freebsd-isp@FreeBSD.ORG> Sent: Tuesday, April 24, 2001 2:01 PM Subject: Re: Hacked, nah probably cvsup. > nslookup shows the following on that address > > Name: burka.rdy.com > Address: 205.149.189.91 > > Name's familliar... used to be my cvsup source... > > > which when looked up as cvsup2.freebsd.org > > Name: burka.rdy.com > Address: 205.149.189.91 > Aliases: cvsup2.freebsd.org > > in /etc/services > cvsup 5999/tcp > > > Are you cron'ing cvsup updates? > > Bill > > -- > Bill Pechter > Systems Administrator > > > > > > > ---- On Tue, 24 Apr 2001, alex huppenthal (alex@aspenworks.com) > wrote: > > > Thanks, > > > > I don't see the 5999 port address listed. yet, the packet > count > > continues > > to grow. > > > > The data is of no use, it's just compressed webpages, but it > concerns > > me > > that the BSD router between the Internet and target system has > this > > interesting listing. I setup a pipe to limit bandwidth to the > target > > machine, and to watch. > > > > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ > Tot_pkt/bytes > > Pkt/Byte > > Drp > > 0 tcp 205.149.189.91/5999 66.28.18.3/1027 123814 > 103707137 0 > > 0 0 > > > > Checking > > > > http://205.149.189.91/ > > > > Doesn't give me a warm and fuzzy feeling. > > > > > > ----- Original Message ----- > > From: <Eric_Stanfield@kenokozie.com> > > To: "alex huppenthal" <alex@aspenworks.com> > > Cc: <freebsd-isp@freebsd.org> > > Sent: Tuesday, April 24, 2001 1:43 PM > > Subject: Re: IPFW ? hacked? > > > > > > > > > > I would do: > > > > > > [exs@mrtg]> sockstat -4u |more > > > > > > and see what process is talking to that address. I set up a > linux box > > not > > > to long ago and before I got back to it to tighten it down, > some punk > > from > > > an Israeli dsl provider rooted it and set up an app that > would let him > > > access the box. The process he loaded changed its name in > ps to > > something > > > harmless like cron or something (I don't recall) and had I > not looked > > at > > > netstat (which shows more on a linux box) I would never have > found out > > what > > > happened. > > > > > > I really hope you didn't get rooted as one of the main > reasons I go > > about > > > preaching the goodness of all things freebsd is that I've > never had a > > bsd > > > box hacked. > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > > > Eric Stanfield, K2Access > > > Keno Kozie Associates > > > 222 N LaSalle #1500 > > > Chicago, IL 60606 > > > (312) 332-3000 > > > > > > > > > > > > > > > > > > "alex huppenthal" > > > <alex@aspenworks.co To: > "free" > > <freebsd-isp@FreeBSD.ORG> > > > m> cc: > > > Sent by: Subject: > IPFW ? > > hacked? > > > owner-freebsd-isp@F > > > reeBSD.ORG > > > > > > > > > 04/24/01 02:32 PM > > > > > > > > > > > > > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > > > > > Interestingly, I see 205.149.189.91 as a destination IP > address at > > port > > > 5999 > > > collecting data from x.x.18.3 > > > > > > I don't know 205.149.189.91 or have any process running to > that site. > > > However, the numbers are increasing. > > > > > > Anyone seen this behavior? > > > > > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) > droptail > > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ > Tot_pkt/bytes > > Pkt/Byte > > > Drp > > > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 > 19344253 0 > > 0 > > > 0 > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008101c0ccf9$a3bc8d20$c800a8c0>