Date: Tue, 24 Apr 2001 13:58:49 -0600 From: "alex huppenthal" <alex@aspenworks.com> To: <Eric_Stanfield@kenokozie.com>, <dima@RDY.COM> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: IPFW ? hacked? Message-ID: <007b01c0ccf9$01b228f0$c800a8c0@aspenworks.com> References: <OFDE8B68AA.F1E94189-ON86256A38.006C0EA7@kka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yea, well, seems pretty funky to me.. Here's the owner of the IP address:
A phone call to the number listed simply yields a fast-busy.
HackerDome, Inc. (RDY-DOM)
707 Continental circle, #1634
Mountain View, CA 94040
US
Domain Name: RDY.COM
Administrative Contact, Technical Contact, Billing Contact:
Ruban, Dima (DR7362) dima@RDY.COM
Ruban Consulting, Inc.
707 Continental circle, #1634
Mountain View,, CA 94040
(415) 730-0648
----- Original Message -----
From: <Eric_Stanfield@kenokozie.com>
To: "alex huppenthal" <alex@aspenworks.com>
Cc: <freebsd-isp@FreeBSD.ORG>
Sent: Tuesday, April 24, 2001 1:43 PM
Subject: Re: IPFW ? hacked?
>
> I would do:
>
> [exs@mrtg]> sockstat -4u |more
>
> and see what process is talking to that address. I set up a linux box not
> to long ago and before I got back to it to tighten it down, some punk from
> an Israeli dsl provider rooted it and set up an app that would let him
> access the box. The process he loaded changed its name in ps to something
> harmless like cron or something (I don't recall) and had I not looked at
> netstat (which shows more on a linux box) I would never have found out
what
> happened.
>
> I really hope you didn't get rooted as one of the main reasons I go about
> preaching the goodness of all things freebsd is that I've never had a bsd
> box hacked.
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Eric Stanfield, K2Access
> Keno Kozie Associates
> 222 N LaSalle #1500
> Chicago, IL 60606
> (312) 332-3000
>
>
>
>
>
> "alex huppenthal"
> <alex@aspenworks.co To: "free"
<freebsd-isp@FreeBSD.ORG>
> m> cc:
> Sent by: Subject: IPFW ? hacked?
> owner-freebsd-isp@F
> reeBSD.ORG
>
>
> 04/24/01 02:32 PM
>
>
>
>
>
> I setup a pipe - number 5, and set the bandwidth to 20Mbits.
>
> Interestingly, I see 205.149.189.91 as a destination IP address at port
> 5999
> collecting data from x.x.18.3
>
> I don't know 205.149.189.91 or have any process running to that site.
> However, the numbers are increasing.
>
> Anyone seen this behavior?
>
> 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail
> mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
> BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes
Pkt/Byte
> Drp
> 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 0
> 0
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-isp" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007b01c0ccf9$01b228f0$c800a8c0>