From owner-freebsd-questions@freebsd.org Mon Feb 13 03:34:34 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EC6CACDCE5B for ; Mon, 13 Feb 2017 03:34:34 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mailrelay15.qsc.de (mailrelay15.qsc.de [212.99.187.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.antispameurope.com", Issuer "TeleSec ServerPass DE-2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7047A1C30 for ; Mon, 13 Feb 2017 03:34:33 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de ([213.148.129.14]) by mailrelay15.qsc.de; Mon, 13 Feb 2017 04:35:19 +0100 Received: from r56.edvax.de (port-92-195-22-222.dynamic.qsc.de [92.195.22.222]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 81F3D3CBF9; Mon, 13 Feb 2017 04:33:47 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id v1D3XkNZ002045; Mon, 13 Feb 2017 04:33:46 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Mon, 13 Feb 2017 04:33:46 +0100 From: Polytropon To: sixto areizaga Cc: freebsd-questions@freebsd.org, jon@radel.com Subject: Re: wireshark issue Message-Id: <20170213043346.863220d1.freebsd@edvax.de> In-Reply-To: <20170212121809.5bf28626@newer.home> References: <20170209174405.5d551b88@newer.home> <20170212121809.5bf28626@newer.home> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-cloud-security-sender: freebsd@edvax.de X-cloud-security-recipient: freebsd-questions@freebsd.org X-cloud-security-Virusscan: CLEAN X-cloud-security-disclaimer: This E-Mail was scanned by E-Mailservice on mailrelay15.qsc.de with 7B21F69E7FC X-cloud-security-connect: mx01.qsc.de[213.148.129.14], TLS=1, IP=213.148.129.14 X-cloud-security: scantime:.2202 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Feb 2017 03:34:35 -0000 On Sun, 12 Feb 2017 12:18:09 -0500, sixto areizaga wrote: > On Thu, 09 Feb 2017 18:22:23 -0500 > Jon Radel wrote: > > just look at the log of failed connection attempts or fire > > up a copy of wireshark. > > I dont understand? We WERE talking about wireshark?!? I think the primary pointer here was to obtain additional information from a SSH-related log file; /var/log/security and /var/log/auth.log should be interesting. > Wireshark gave me an IP and that the connection was from putty, Interesting that the information about the SSH client has been determined. I have never really paid attention that Wireshark could do this. However, I assume it's possible that this info is spoofed (such as you can spoof User-Agent strings for the web browser). > Whois and google told me that its a mobile communications > company.... Maybe an ISP? > nmap gave me: Ports open include some windows ports... That rather looks like a "Windows" PC, maybe connecting via a wireless (UMTS, LTE etc.) connection. This is much more likely to be a "conquered" PC, maybe even part of a botnet, than the assumption that you're experiencing attacks from a smartphone. But keep in mind that I said it's _not entirely impossible_ that this kind of malware also runs on smartphones... > conclusion: A port scaning script running off some windows laptop or > tablet, exploiting putty. on a network which seems to come from China. Quite possible. > [China] which means ....Some one in my neighborhood is passing around > hacking software to the "kiddies" ...again. YES, a pattern on my > network. (and with *my* neighbors) Interesting concept to get into other people's PCs... it's like sharing floppy disks or CDs with "cool software" with "friends", 20 years ago... ;-) > > Somebody already answered the first time you asked this question. > > Honestly? Yes, it was me (Thu, 9 Feb 2017 21:40:22 +0100), and you even replied (Thu, 9 Feb 2017 17:51:02 -0500). :-) The initial confusion that the web site you're testing was somehow causing the SSH connection attempts could be resolved. You've just been observing two different things happening at the same time, where applying a filter to Wireshark was the solution to the strange observation, and blocking the IP from China (or disabling SSH altogether) the solution to the observation per se. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...