Help...am I being hacked?

[Conrad J. Sabatier]

On Thu, 2004-11-25 at 01:35 -0800, Dino Vliet wrote:
> Hi all,
> 
> I'm using freebsd 4.10 on my laptop and I was browsing
> my filesystem and looking at some log files, when I
> stumbled into the file dmesg.yesterday in /var/log/
> 
> The contents of this file worried me. Take a look at
> the last lines of it:
> 
> Connection attempt to TCP 192.168.1.101:5554 from
> 220.147.188.223:4970 flags:0x02
> Connection attempt to TCP 192.168.1.101:9898 from
> 220.147.188.223:1288 flags:0x02
> Connection attempt to TCP 192.168.1.101:21 from
> 168.126.102.33:57216 flags:0x02
> Connection attempt to UDP 192.168.1.101:1026 from
> 222.88.173.5:31889
> Connection attempt to TCP 192.168.1.101:9898 from
> 67.1.4.194:3161 flags:0x02

These merely indicate connection *attempts*, not actual successful
connections to your machine.  They don't mean you've been "hacked".

> But my IP on this machine starts with 130.
> 
> But I recognize these IP's (192.168.1.101), because at
> home I'm using a e-tech router and it assigns me
> through DHCP 192.168.1.* as ip address every time I
> connect my laptop with this. At the campus, I'm also
> using dhcp to connect to the network. However, lately
> I haven't used my router at home and was only
> connecting through the network at the campus. There I
> get the ip address 130.37.28.112. 
> 
> I have removed the old dhcp.leases in /var/db that had
> the information of my e-tech router.
> 
> I am using ipfw too now, but still it would be
> convenient to know where to look for hack attempts and
> look for log files which give information about
> connection attempts from outside. 

/var/log/security, /var/log/ipfw.*, /var/log/messages, and so on.

With a more "stealthy" firewall setup, you wouldn't even be seeing these
connection attempt logs, as these outsiders would never even manage to
reach your machine at all.

-- 
Conrad J. Sabatier -- conrads at cox.net -- "In Unix veritas"