Date: Mon, 13 Feb 2017 04:33:46 +0100 From: Polytropon <freebsd@edvax.de> To: sixto areizaga <thenewcq@optimum.net> Cc: freebsd-questions@freebsd.org, jon@radel.com Subject: Re: wireshark issue Message-ID: <20170213043346.863220d1.freebsd@edvax.de> In-Reply-To: <20170212121809.5bf28626@newer.home> References: <CAKM9q91KKxtqXRTG84Szefww%2BR--S1A7wvgSx5LV3jNS90=4qw@mail.gmail.com> <20170209174405.5d551b88@newer.home> <c2dd4d2c-0e7c-42f0-9eef-2cb734421767@radel.com> <20170212121809.5bf28626@newer.home>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 12 Feb 2017 12:18:09 -0500, sixto areizaga wrote: > On Thu, 09 Feb 2017 18:22:23 -0500 > Jon Radel <jon@radel.com> wrote: > > just look at the log of failed connection attempts or fire > > up a copy of wireshark. > > I dont understand? We WERE talking about wireshark?!? I think the primary pointer here was to obtain additional information from a SSH-related log file; /var/log/security and /var/log/auth.log should be interesting. > Wireshark gave me an IP and that the connection was from putty, Interesting that the information about the SSH client has been determined. I have never really paid attention that Wireshark could do this. However, I assume it's possible that this info is spoofed (such as you can spoof User-Agent strings for the web browser). > Whois and google told me that its a mobile communications > company.... Maybe an ISP? > nmap gave me: Ports open include some windows ports... That rather looks like a "Windows" PC, maybe connecting via a wireless (UMTS, LTE etc.) connection. This is much more likely to be a "conquered" PC, maybe even part of a botnet, than the assumption that you're experiencing attacks from a smartphone. But keep in mind that I said it's _not entirely impossible_ that this kind of malware also runs on smartphones... > conclusion: A port scaning script running off some windows laptop or > tablet, exploiting putty. on a network which seems to come from China. Quite possible. > [China] which means ....Some one in my neighborhood is passing around > hacking software to the "kiddies" ...again. YES, a pattern on my > network. (and with *my* neighbors) Interesting concept to get into other people's PCs... it's like sharing floppy disks or CDs with "cool software" with "friends", 20 years ago... ;-) > > Somebody already answered the first time you asked this question. > > Honestly? Yes, it was me (Thu, 9 Feb 2017 21:40:22 +0100), and you even replied (Thu, 9 Feb 2017 17:51:02 -0500). :-) The initial confusion that the web site you're testing was somehow causing the SSH connection attempts could be resolved. You've just been observing two different things happening at the same time, where applying a filter to Wireshark was the solution to the strange observation, and blocking the IP from China (or disabling SSH altogether) the solution to the observation per se. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170213043346.863220d1.freebsd>