Date: Tue, 24 Apr 2001 13:58:49 -0600 From: "alex huppenthal" <alex@aspenworks.com> To: <Eric_Stanfield@kenokozie.com>, <dima@RDY.COM> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: IPFW ? hacked? Message-ID: <007b01c0ccf9$01b228f0$c800a8c0@aspenworks.com> References: <OFDE8B68AA.F1E94189-ON86256A38.006C0EA7@kka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yea, well, seems pretty funky to me.. Here's the owner of the IP address: A phone call to the number listed simply yields a fast-busy. HackerDome, Inc. (RDY-DOM) 707 Continental circle, #1634 Mountain View, CA 94040 US Domain Name: RDY.COM Administrative Contact, Technical Contact, Billing Contact: Ruban, Dima (DR7362) dima@RDY.COM Ruban Consulting, Inc. 707 Continental circle, #1634 Mountain View,, CA 94040 (415) 730-0648 ----- Original Message ----- From: <Eric_Stanfield@kenokozie.com> To: "alex huppenthal" <alex@aspenworks.com> Cc: <freebsd-isp@FreeBSD.ORG> Sent: Tuesday, April 24, 2001 1:43 PM Subject: Re: IPFW ? hacked? > > I would do: > > [exs@mrtg]> sockstat -4u |more > > and see what process is talking to that address. I set up a linux box not > to long ago and before I got back to it to tighten it down, some punk from > an Israeli dsl provider rooted it and set up an app that would let him > access the box. The process he loaded changed its name in ps to something > harmless like cron or something (I don't recall) and had I not looked at > netstat (which shows more on a linux box) I would never have found out what > happened. > > I really hope you didn't get rooted as one of the main reasons I go about > preaching the goodness of all things freebsd is that I've never had a bsd > box hacked. > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > Eric Stanfield, K2Access > Keno Kozie Associates > 222 N LaSalle #1500 > Chicago, IL 60606 > (312) 332-3000 > > > > > > "alex huppenthal" > <alex@aspenworks.co To: "free" <freebsd-isp@FreeBSD.ORG> > m> cc: > Sent by: Subject: IPFW ? hacked? > owner-freebsd-isp@F > reeBSD.ORG > > > 04/24/01 02:32 PM > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > Interestingly, I see 205.149.189.91 as a destination IP address at port > 5999 > collecting data from x.x.18.3 > > I don't know 205.149.189.91 or have any process running to that site. > However, the numbers are increasing. > > Anyone seen this behavior? > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte > Drp > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 0 > 0 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007b01c0ccf9$01b228f0$c800a8c0>