Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 29 May 1997 13:19:48 -0500 (CDT)
From:      Dave Bodenstab <imdave@synet.net>
To:        questions@FreeBSD.org
Subject:   Should I be concerned?
Message-ID:  <199705291819.NAA07336@base486.synet.net>
next in thread | raw e-mail | index | archive | help 


There is probably no answer to this, but I figured I'd try the
collected wisdom of this list.  I happened to grep my log files
and found the following in /var/log/messages:

     May 21 11:32:21 base486 identd[25580]: Connection from crl.NMSU.Edu
     May 21 11:32:22 base486 identd[25580]: from: 128.123.1.33 ( crl.NMSU.Edu ) for: 1571, 21
     May 21 11:32:22 base486 identd[25580]: Successful lookup: 1571 , 21 : imdave.imdave
=>>> May 21 11:33:37 base486 ftpd[25593]: connection from ecsask65.innovplace.saskatoon.sk.ca
=>>> May 21 11:33:38 base486 ftpd[25593]: ANONYMOUS FTP LOGIN REFUSED FROM ecsask65.innovplace.saskatoon.sk.ca
=>>> May 21 11:33:38 base486 ftpd[25593]: ANONYMOUS FTP LOGIN REFUSED FROM ecsask65.innovplace.saskatoon.sk.ca

[I was probably ftp'ing something from crl.NMSU.Edu at the time]


And out of curiosity:

     $ nslookup
     Default Server:  G30.SYNET.NET
     Address:  168.113.1.64

     > 128.123.1.33
     Server:  G30.SYNET.NET
     Address:  168.113.1.64

     Name:    crl.NMSU.Edu
     Address:  128.123.1.33

     > ecsask65.innovplace.saskatoon.sk.ca
     Server:  G30.SYNET.NET
     Address:  168.113.1.64

     Name:    ecsask65.innovplace.saskatoon.sk.ca
     Address:  204.83.154.65


What's wierd is that I have a dial-up ppp account which assigns
a different IP address to me each time I connect.  So, no one
can know ahead of time what IP address I am (or even if I happen
to be connected at any given time.)  Also, on 5/21 (from my ppp.log)
I was only connected 11:23 am to 12:11 pm -- about 50 minutes.  My
machine is not registered with anything but the generic name that
my ISP uses for the dialup accounts:

For instance, right now:

$ netstat -r
Routing tables

Internet:
Destination      Gateway            Flags     Refs     Use     Netif Expire
default          XTS13.SYNET.NET    UGc        12        0      tun0
base486          base486            UH         15   100683       lo0
XTS13.SYNET.NET  DIAL3.SYNET.NET    UH         13        0      tun0
224              base486            US          0        0       lo0

So, I'm ``DIAL3.SYNET.NET'' at the moment, but on 5/21 I was most likely
some other ``DIALnn.SYNET.NET''.

My question is: is this a fluke?  How could someone attempt an anonymous
ftp to my machine under these circumstances?  Should I be concerned?

Thanks.

Dave Bodenstab
imdave@synet.net

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705291819.NAA07336>