From owner-freebsd-hackers Sun Jun 23 20:50:45 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id UAA18787 for hackers-outgoing; Sun, 23 Jun 1996 20:50:45 -0700 (PDT) Received: from dhp.com (dhp.com [199.245.105.1]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id UAA18780; Sun, 23 Jun 1996 20:50:32 -0700 (PDT) Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id XAA14147; Sun, 23 Jun 1996 23:50:14 -0400 Date: Sun, 23 Jun 1996 23:50:09 -0400 (EDT) From: jaeger To: Bradley Dunn cc: hackers@FreeBSD.org, security@FreeBSD.org Subject: Re: I need help on this one - please help me track this guy In-Reply-To: <199606240335.XAA28034@ns2.harborcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Sun, 23 Jun 1996, Bradley Dunn wrote: > The traceroute results do not indicate any DNS tampering. Traceroute > looks up 127.0.0.1 using gethostbyaddr(), which then uses whatever > address-to-name translation system you have running > (eg /etc/hosts,NIS,DNS). I would certainly hope your translation > sytem reports localhost for 127.0.0.1. :) Whoops! I think I should cut back on the caffeine...;> > > It does indicate that there is something over there that reports its > IP address as 127.0.0.1. Perhaps it is some funky terminal server > hardware. Maybe it returns 127.0.0.1 when it knows that it is > responsible for the particular IP being traced, but that IP isn't > currently assigned? > > To test this, I tried tracing to some of the other hosts that would > be in this pool. For example, a230.pu.ru, a231.pu.ru, etc... Some > of the other ones returned this as well. So my guess would be it > was a dialup dynamic IP account, and the terminal server sends > the packets to its loopback interface if the IP isn't assigned. > I've never encountered this behavior before. Does anyone know what make or model of hardware this might be? > Bradley Dunn > -jaeger