From owner-freebsd-security Wed May 2 10:35:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3A2ED37B423 for ; Wed, 2 May 2001 10:35:28 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCPY6H00.J6V; Wed, 2 May 2001 10:35:05 -0700 Message-ID: <3AF0455D.C242B1F7@globalstar.com> Date: Wed, 02 May 2001 10:35:25 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: efb-all@vhwy.com Cc: security@FreeBSD.ORG, efb-all@cotdazr.org Subject: Re: [GorrellCD@phdnswc.navy.mil: ] References: <20010501220704.A14264@cotdazr.org> <20010501222316.B14264@cotdazr.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Everett F Batey wrote: > > Dear FreeBSD Security Guru, > > I need some guidance. My employer with which I have had problems over > the past 5 years has suggested I (or my IP) am(/is) trying to attack > hisIP space on UPD 111, and sent me the below attached log file. > > I am running a pretty sanitized version of FreeBSD 2.2.8, at my home, > with many patches. Hope soon to be able to go 4.X but can NOT now. I > am concerned of several possibilities: (1) I could have been root > kitted, (2) someone could be spoofing my primary address, or (3) I am > getting some fully B/s stories about what is showing up at the far end > on their firewall.. > > I do not know of anything that I do which would cause my FBsd to poke > at port 111 on the supposed system at the far end. (per attachment). > That IP IS a computer running Solaris which I have done work INSIDE > semi firewalled 137.24/16. > > The admin of that system advises me there are port 111 assaults on his > firewall from me, from Navy NCIS, 199 something, from oxnardsd.org, > where I used to do volunteer work some years ago. [snip] Uhhh... > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65422 UDP > > May 1 07:19:51 209.239.229.90:111 -> 137.24.124.222:65423 UDP These look like responses from port 111 on _your_ system (cotdazr.org is yours?) to queries made _by_ 137.24.124.222. If there is an attack, it looks like 137.24.124.222 (NSWC) is trying to attack you. Either that or the owner of 137.24.124.222 is curious why his machine seems to be trying to contact yours. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message