[CS-FSLUG] Networking details #4 - switch
Ed Hurst
ehurst at asisaid.com
Fri Dec 10 13:11:06 CST 2004
Tim Young wrote:
> Hmmm.... That is very curious. It tries to go out via tun0. Do you have a tunnel
> set up on your Unix box? Basically something is trying to download *something*
> from a particular web-site. I glanced at 216.91.137.16 to see what it was, and it
> returned that I was unable to view the web page. But it says that it is a virtual
> server. These are often virtual based on IP or URL that you reached it by.
>
> What does all this mean? Well, I would agree with Josiah that it looks like
> something might be hacked. If you have a tun0 but did not set it up, it could be
> the firewall computer.
Josiah is correct. That's the standard BSD interface for user PPP. It's
been there for quite some time, and it's preparatory for the IPv6.
> I would do two things.
> 1) plug it back in and see if you can get a tcpdump of the traffic that is getting
> blocked.
I did, but didn't save the output. I recall it coming via the ethernet
interface, and the "source IP" most certainly was not the one I had
dynamically assigned at the moment.
> 2) see if you have a tun0 running and know why. It could be something that FreeBSD
> does for PPP or something. On Linux boxes it is a tunnel, and is really only set
> up by people who know what they are doing to bypass security or set up fairly
> complex securit configurations. If this were a Linux box I would assume the box
> itself had been hacked and was trying to download a payload from an external site.
I would think it was hacked, too. However, the output promptly stopped
when I unplugged the switch. It hasn't come back. I still have the same
firewall and everything in my firewall logs shows only bounces from the
outside (that port 445 crap, mostly).
> Of course, There are a number of unanswered questions. First, who is:
> 208.31.27.28? That may be the same network that you dial up to to send out your
> emails (you sent your previous email from: 208.31.95.126). It could have been from
> your box itself, with the IP that you had from your ISP.
That number belongs to Sprint, but my own ISP uses their services, and
my dialup IPs are registered to Sprint directly.
> When you dial-up to the Internet, PPP (on Linux, of course) usually makes an entry
> in the syslog with the IP that you are given. So you should be able to look back
> to the time when these logs were made and see what IP address you had at the time.
I checked the appropriate log on FreeBSD to find that out. My previous
message pointed that out at the bottom.
> I am very curious right about now... But it sounds like you have enough other
> problems at this time with your wife's computer and all...
My own hardware appears to be failing, too. That's another issue.
--
Ed Hurst
-----------
A Bible Site -- http://webs.tconline.net/softedges/
Linux & Unix Help -- http://ed.asisaid.com/
Blog -- http://ed.asisaid.com/blog/
More information about the Christiansource
mailing list