Date: Tue, 9 Nov 2004 16:53:11 -0500 From: Joe Altman <fj@panix.com> To: Jorn Argelo <jorn@wcborstel.nl> Cc: questions@freebsd.org Subject: Re: Strange netstat output Message-ID: <20041109215311.GA15288@panix.com> In-Reply-To: <20041108100954.M66265@wcborstel.nl> References: <20041108100954.M66265@wcborstel.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Nov 08, 2004 at 11:20:03AM +0100, Jorn Argelo wrote: > Hi folks, > > Recently I took notice about a strange netstat output within my LAN: > > [jorn@www] ~> netstat -ra > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default ACA80101.ipt.aol.c UGS 0 156153 rl0 > localhost localhost UH 2 539754 lo0 > ACA80100.ipt.aol.c link#1 UC 0 0 rl0 > ACA80101.ipt.aol.c 00:09:5b:a7:a4:3e UHLW 1 3918 rl0 790 > ACA80102.ipt.aol.c 00:10:a7:0d:6f:7f UHLW 0 325 rl0 1193 > ACA80104.ipt.aol.c localhost UGHS 0 0 lo0 > ACA801FF.ipt.aol.c ff:ff:ff:ff:ff:ff UHLWb 0 1091 rl0 > 192.168.2.105 localhost UGHS 0 0 lo0 > > > The ipt.aol.com is the one that's the problem. If I ping it, it returns this: > > > PING ACA80102.ipt.aol.com (172.168.1.2): 56 data bytes > 64 bytes from 172.168.1.2: icmp_seq=0 ttl=64 time=0.120 ms > 64 bytes from 172.168.1.2: icmp_seq=1 ttl=64 time=0.149 ms > 64 bytes from 172.168.1.2: icmp_seq=2 ttl=64 time=0.149 ms > ^C > --- ACA80102.ipt.aol.com ping statistics --- > 3 packets transmitted, 3 packets received, 0% packet loss > round-trip min/avg/max/stddev = 0.120/0.139/0.149/0.014 ms > [jorn@www] ~> > > Which is my internal IP adress. If I ping ACA80104, it goes to 172.168.1.4. If > I ping ACA80100, it says 172.168.1.100 and ACA801FF is the 172.168.1.255 > address (the broadcast address, if I recall my Cisco classes correctly). Are you saying that you've used 172.168.1.2 for a host on your LAN? If so: 04:43 PM: whois -h whois.arin.net 172.168.1.2 OrgName: America Online OrgID: AOL Address: 22000 AOL Way City: Dulles StateProv: VA PostalCode: 20166 Country: US NetRange: 172.128.0.0 - 172.191.255.255 CIDR: 172.128.0.0/10 The ipt machines are clients using AOL for connetivity, IIACI. I think you mean to use: 172.16.0.0 through 172.31.255.255 > The 192.168.1.105 address is rather strange as well, because I'm not using > that range on the router's DHCP server (Netgear FVS318, in case you want to know) > > So my question is, what are these? My firewall log (on the router) is showing > some major blocking on port 445 and 135. It's not like one IP address is doing > all the bad stuff; most of them are just random grabs from virus infected > machines. -- One million points of light shining on the new world-order model for fascism and tyranny. Get in line.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041109215311.GA15288>