wireshark issue

Polytropon freebsd at edvax.de
Mon Feb 13 03:34:35 UTC 2017

On Sun, 12 Feb 2017 12:18:09 -0500, sixto areizaga wrote:
> On Thu, 09 Feb 2017 18:22:23 -0500
> Jon Radel <jon at radel.com> wrote:
> > just look at the log of failed connection attempts or fire
> > up a copy of wireshark.
> I dont understand?  We WERE talking about wireshark?!?

I think the primary pointer here was to obtain additional
information from a SSH-related log file; /var/log/security
and /var/log/auth.log should be interesting.

> Wireshark gave me an IP and that the connection was from putty, 

Interesting that the information about the SSH client has been
determined. I have never really paid attention that Wireshark
could do this. However, I assume it's possible that this info
is spoofed (such as you can spoof User-Agent strings for the
web browser).

> Whois and google told me that its a mobile communications
> company....

Maybe an ISP?

> nmap gave me: Ports open include some windows ports...

That rather looks like a "Windows" PC, maybe connecting via
a wireless (UMTS, LTE etc.) connection. This is much more likely
to be a "conquered" PC, maybe even part of a botnet, than the
assumption that you're experiencing attacks from a smartphone.
But keep in mind that I said it's _not entirely impossible_
that this kind of malware also runs on smartphones...

> conclusion:  A port scaning script running off some windows laptop or
> tablet, exploiting putty. on a network which seems to come from China.

Quite possible.

> [China] which means ....Some one in my neighborhood is passing around
> hacking software to the "kiddies"  ...again. YES, a pattern on my
> network.  (and with *my* neighbors)

Interesting concept to get into other people's PCs... it's like
sharing floppy disks or CDs with "cool software" with "friends",
20 years ago... ;-)

> > Somebody already answered the first time you asked this question. 
> Honestly?

Yes, it was me (Thu, 9 Feb 2017 21:40:22 +0100), and you even
replied (Thu, 9 Feb 2017 17:51:02 -0500). :-)

The initial confusion that the web site you're testing was
somehow causing the SSH connection attempts could be resolved.
You've just been observing two different things happening at
the same time, where applying a filter to Wireshark was the
solution to the strange observation, and blocking the IP from
China (or disabling SSH altogether) the solution to the
observation per se.

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list