From owner-freebsd-questions@FreeBSD.ORG  Thu Feb 12 15:25:47 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D5C7516A4CE
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Feb 2004 15:25:47 -0800 (PST)
Received: from scorpion.eng.ufl.edu (scorpion.eng.ufl.edu [128.227.116.10])
	by mx1.FreeBSD.org (Postfix) with SMTP id 63CA143D2F
	for <freebsd-questions@freebsd.org>;
	Thu, 12 Feb 2004 15:25:47 -0800 (PST)
	(envelope-from bob88@eng.ufl.edu)
Received: (qmail 29165 invoked by uid 7794); 12 Feb 2004 23:25:46 -0000
Received: from bob88@eng.ufl.edu by scorpion by uid 7791 with
	qmail-scanner-1.16  ( Clear:. 
	Processed in 0.108924 secs); 12 Feb 2004 23:25:46 -0000
Received: from scanner.engnet.ufl.edu (HELO eng.ufl.edu) (128.227.152.221)
  by scorpion.eng.ufl.edu with SMTP; 12 Feb 2004 23:25:46 -0000
Message-ID: <402C0B7A.7020607@eng.ufl.edu>
Date: Thu, 12 Feb 2004 18:25:46 -0500
From: Bob Johnson <bob88@eng.ufl.edu>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en, eo
MIME-Version: 1.0
To: Aiken@salem.kent.edu
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-questions@freebsd.org
Subject: Re: Spimware infection
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2004 23:25:48 -0000

Wallace Aiken wrote:
> Date: Thu, 12 Feb 2004 15:25:36 -0500
> From: "Wallace Aiken" <Aiken@salem.kent.edu>
> Subject: Spimware infection
> 
> Hi, I'm using two of your firewalls...they work great. But all of 
 > a sudden they're showing signs of "Spimmware" infection, a kind of
 > spyware.
> 

I also can find no information about "Spimmware" or "Spimware".

> I work for Kent State university and their network scan came up 
 > with the IPs and host names of my firewalls, as well as some other
 > hosts on my subnet that were not behind the firewall...can you give
 > me any advice?

Are you using NAT to allow the systems behind a firewall to share the IP 
address of the firewall?  If so, it is most likely systems behind the 
firewalls that are infected, not the firewalls themselves.  If they are 
monitoring network traffic and seeing suspicious activity, NAT would 
cause it to have the IP number of your firewall and they would naturally 
assume that was the infected system.

If you literally mean "network scan" rather than "network monitoring" 
(i.e. they are actively probing systems for vulnerabilities, not just 
monitoring network traffic), then ask them which open ports (or other 
behavior) on the firewalls lead them to believe they are infected, and 
report that to the list.  We can probably explain it then.


- Bob