Date: Tue, 24 Apr 2001 16:01:17 -0400 From: Bill Pechter <pechter@ureach.com> To: "alex huppenthal" <alex@aspenworks.com>, Eric_Stanfield@kenokozie.com Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Hacked, nah probably cvsup. Message-ID: <200104242001.QAA18631@www20.ureach.com>
next in thread | raw e-mail | index | archive | help
nslookup shows the following on that address Name: burka.rdy.com Address: 205.149.189.91 Name's familliar... used to be my cvsup source... which when looked up as cvsup2.freebsd.org Name: burka.rdy.com Address: 205.149.189.91 Aliases: cvsup2.freebsd.org in /etc/services cvsup 5999/tcp Are you cron'ing cvsup updates? Bill -- Bill Pechter Systems Administrator ---- On Tue, 24 Apr 2001, alex huppenthal (alex@aspenworks.com) wrote: > Thanks, > > I don't see the 5999 port address listed. yet, the packet count > continues > to grow. > > The data is of no use, it's just compressed webpages, but it concerns > me > that the BSD router between the Internet and target system has this > interesting listing. I setup a pipe to limit bandwidth to the target > machine, and to watch. > > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > Drp > 0 tcp 205.149.189.91/5999 66.28.18.3/1027 123814 103707137 0 > 0 0 > > Checking > > http://205.149.189.91/ > > Doesn't give me a warm and fuzzy feeling. > > > ----- Original Message ----- > From: <Eric_Stanfield@kenokozie.com> > To: "alex huppenthal" <alex@aspenworks.com> > Cc: <freebsd-isp@freebsd.org> > Sent: Tuesday, April 24, 2001 1:43 PM > Subject: Re: IPFW ? hacked? > > > > > > I would do: > > > > [exs@mrtg]> sockstat -4u |more > > > > and see what process is talking to that address. I set up a linux box > not > > to long ago and before I got back to it to tighten it down, some punk > from > > an Israeli dsl provider rooted it and set up an app that would let him > > access the box. The process he loaded changed its name in ps to > something > > harmless like cron or something (I don't recall) and had I not looked > at > > netstat (which shows more on a linux box) I would never have found out > what > > happened. > > > > I really hope you didn't get rooted as one of the main reasons I go > about > > preaching the goodness of all things freebsd is that I've never had a > bsd > > box hacked. > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > > > > Eric Stanfield, K2Access > > Keno Kozie Associates > > 222 N LaSalle #1500 > > Chicago, IL 60606 > > (312) 332-3000 > > > > > > > > > > > > "alex huppenthal" > > <alex@aspenworks.co To: "free" > <freebsd-isp@FreeBSD.ORG> > > m> cc: > > Sent by: Subject: IPFW ? > hacked? > > owner-freebsd-isp@F > > reeBSD.ORG > > > > > > 04/24/01 02:32 PM > > > > > > > > > > > > I setup a pipe - number 5, and set the bandwidth to 20Mbits. > > > > Interestingly, I see 205.149.189.91 as a destination IP address at > port > > 5999 > > collecting data from x.x.18.3 > > > > I don't know 205.149.189.91 or have any process running to that site. > > However, the numbers are increasing. > > > > Anyone seen this behavior? > > > > 00005: 20.000 Mbit/s 0 ms 50 sl. 1 queues (1 buckets) droptail > > mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 > > BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes > Pkt/Byte > > Drp > > 0 tcp x.x.18.3/1027 205.149.189.91/5999 76043 19344253 0 > 0 > > 0 > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104242001.QAA18631>