From owner-freebsd-questions Thu May 29 11:20:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA29667 for questions-outgoing; Thu, 29 May 1997 11:20:05 -0700 (PDT) Received: from base486.synet.net (imdave@DIAL3.SYNET.NET [168.113.1.5]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA29607 for ; Thu, 29 May 1997 11:20:00 -0700 (PDT) Received: (from imdave@localhost) by base486.synet.net (8.8.5/8.8.5) id NAA07336 for questions@FreeBSD.org; Thu, 29 May 1997 13:19:48 -0500 (CDT) Date: Thu, 29 May 1997 13:19:48 -0500 (CDT) From: Dave Bodenstab Message-Id: <199705291819.NAA07336@base486.synet.net> To: questions@FreeBSD.org Subject: Should I be concerned? Sender: owner-questions@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk There is probably no answer to this, but I figured I'd try the collected wisdom of this list. I happened to grep my log files and found the following in /var/log/messages: May 21 11:32:21 base486 identd[25580]: Connection from crl.NMSU.Edu May 21 11:32:22 base486 identd[25580]: from: 128.123.1.33 ( crl.NMSU.Edu ) for: 1571, 21 May 21 11:32:22 base486 identd[25580]: Successful lookup: 1571 , 21 : imdave.imdave =>>> May 21 11:33:37 base486 ftpd[25593]: connection from ecsask65.innovplace.saskatoon.sk.ca =>>> May 21 11:33:38 base486 ftpd[25593]: ANONYMOUS FTP LOGIN REFUSED FROM ecsask65.innovplace.saskatoon.sk.ca =>>> May 21 11:33:38 base486 ftpd[25593]: ANONYMOUS FTP LOGIN REFUSED FROM ecsask65.innovplace.saskatoon.sk.ca [I was probably ftp'ing something from crl.NMSU.Edu at the time] And out of curiosity: $ nslookup Default Server: G30.SYNET.NET Address: 168.113.1.64 > 128.123.1.33 Server: G30.SYNET.NET Address: 168.113.1.64 Name: crl.NMSU.Edu Address: 128.123.1.33 > ecsask65.innovplace.saskatoon.sk.ca Server: G30.SYNET.NET Address: 168.113.1.64 Name: ecsask65.innovplace.saskatoon.sk.ca Address: 204.83.154.65 What's wierd is that I have a dial-up ppp account which assigns a different IP address to me each time I connect. So, no one can know ahead of time what IP address I am (or even if I happen to be connected at any given time.) Also, on 5/21 (from my ppp.log) I was only connected 11:23 am to 12:11 pm -- about 50 minutes. My machine is not registered with anything but the generic name that my ISP uses for the dialup accounts: For instance, right now: $ netstat -r Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default XTS13.SYNET.NET UGc 12 0 tun0 base486 base486 UH 15 100683 lo0 XTS13.SYNET.NET DIAL3.SYNET.NET UH 13 0 tun0 224 base486 US 0 0 lo0 So, I'm ``DIAL3.SYNET.NET'' at the moment, but on 5/21 I was most likely some other ``DIALnn.SYNET.NET''. My question is: is this a fluke? How could someone attempt an anonymous ftp to my machine under these circumstances? Should I be concerned? Thanks. Dave Bodenstab imdave@synet.net