# keep getting hacked (Solved) and yes it's true

## Snappi

Hi, I've been hacked >3 times now by the same guy.

I have iptables set up and chkrootkit and rkhunter doesn't detect anything.

ps -ef

```
UID        PID  PPID  C STIME TTY          TIME CMD

root         1     0  0 13:31 ?        00:00:00 init [3]

root         2     1  0 13:31 ?        00:00:00 [ksoftirqd/0]

root         3     1  0 13:31 ?        00:00:00 [watchdog/0]

root         4     1  0 13:31 ?        00:00:00 [events/0]

root         5     1  0 13:31 ?        00:00:00 [khelper]

root         6     1  0 13:31 ?        00:00:00 [kthread]

root         8     6  0 13:31 ?        00:00:00 [kblockd/0]

root         9     6  0 13:31 ?        00:00:00 [kacpid]

root       130     6  0 13:31 ?        00:00:00 [kseriod]

root       133     6  0 13:31 ?        00:00:00 [khubd]

root       224     6  0 13:31 ?        00:00:00 [pdflush]

root       225     6  0 13:31 ?        00:00:00 [pdflush]

root       226     1  0 13:31 ?        00:00:00 [kswapd0]

root       227     6  0 13:31 ?        00:00:00 [aio/0]

root       839     6  0 13:31 ?        00:00:00 [kpsmoused]

root       887     6  0 13:31 ?        00:00:00 [ata/0]

root       893     6  0 13:31 ?        00:00:00 [scsi_eh_0]

root       894     6  0 13:31 ?        00:00:00 [scsi_eh_1]

root       899     6  0 13:31 ?        00:00:00 [scsi_eh_2]

root       900     6  0 13:31 ?        00:00:00 [scsi_eh_3]

root       913     1  0 13:31 ?        00:00:00 [khpsbpkt]

root       917     1  0 13:31 ?        00:00:00 [knodemgrd_0]

root      1139     1  0 13:32 ?        00:00:01 /sbin/udevd --daemon

root      5093     1  0 13:32 ?        00:00:00 /usr/sbin/syslog-ng

root      5661     1  0 13:32 ?        00:00:00 /usr/kde/3.5/bin/kdm

root      5664  5661  0 13:32 tty7     00:00:12 /usr/bin/X -br -nolisten tcp :0 vt7 -auth /var/run/xauth/A:0-isnE

root      5665  5661  0 13:32 ?        00:00:00 -:0

root      6087     1  0 13:32 ?        00:00:00 /usr/sbin/cron

root      6178     1  0 13:32 tty1     00:00:00 /sbin/agetty 38400 tty1 linux

root      6179     1  0 13:32 tty2     00:00:00 /sbin/agetty 38400 tty2 linux

root      6180     1  0 13:32 tty3     00:00:00 /sbin/agetty 38400 tty3 linux

root      6181     1  0 13:32 tty4     00:00:00 /sbin/agetty 38400 tty4 linux

root      6182     1  0 13:32 tty5     00:00:00 /sbin/agetty 38400 tty5 linux

root      6183     1  0 13:32 tty6     00:00:00 /sbin/agetty 38400 tty6 linux

sim       6203  5665  0 13:32 ?        00:00:00 /bin/sh /usr/kde/3.5/bin/startkde

sim       6231     1  0 13:32 ?        00:00:00 /usr/bin/dbus-launch --sh-syntax --exit-with-session

sim       6232     1  0 13:32 ?        00:00:00 dbus-daemon --fork --print-pid 8 --print-address 6 --session

root      6250     1  0 13:32 ?        00:00:00 start_kdeinit --new-startup +kcminit_startup

sim       6251     1  0 13:32 ?        00:00:00 kdeinit Running...

sim       6254     1  0 13:32 ?        00:00:00 dcopserver [kdeinit] --nosid

sim       6256  6251  0 13:32 ?        00:00:00 klauncher [kdeinit] --new-startup

sim       6258     1  0 13:32 ?        00:00:00 kded [kdeinit] --new-startup

sim       6263  6203  0 13:32 ?        00:00:00 kwrapper ksmserver

sim       6265     1  0 13:32 ?        00:00:00 ksmserver [kdeinit]

sim       6266  6251  0 13:32 ?        00:00:00 kwin [kdeinit] -session 1014cd7d2d4000116302868900000054200000_11

sim       6268     1  0 13:32 ?        00:00:00 knotify [kdeinit]

sim       6270     1  0 13:32 ?        00:00:00 kdesktop [kdeinit]

sim       6272     1  0 13:32 ?        00:00:01 kicker [kdeinit]

sim       6273  6251  0 13:32 ?        00:00:00 kio_file [kdeinit] file /tmp/ksocket-sim/klauncherizfGjc.slave-so

sim       6279     1  0 13:32 ?        00:00:00 kaccess [kdeinit]

sim       6282     1  0 13:32 ?        00:00:00 kxkb [kdeinit]

sim       6286     1  0 13:32 ?        00:00:00 klipper [kdeinit]

sim       6298  6251  0 13:32 ?        00:00:00 konsole [kdeinit]

sim       6299  6298  0 13:32 pts/1    00:00:00 /bin/bash

sim       6594  6298  0 13:55 pts/2    00:00:00 /bin/bash

root      6598  6594  0 13:55 pts/2    00:00:00 su -

root      6601  6598  0 13:55 pts/2    00:00:00 -su

root      6604  6601  0 13:55 pts/2    00:00:04 firestarter

root      6606     1  0 13:55 pts/2    00:00:00 /usr/libexec/gconfd-2 11

sim       6810  6270  0 13:56 ?        00:00:00 /bin/bash /usr/libexec/mozilla-launcher

sim       6819  6810  1 13:56 ?        00:00:16 /usr/lib64/mozilla-firefox/firefox-bin

sim       6824     1  0 13:56 ?        00:00:00 /usr/libexec/gconfd-2 12

sim       6831  6819  0 13:56 ?        00:00:00 [netstat] <defunct>

root      7109  6299  0 14:02 pts/1    00:00:00 su -

root      7112  7109  0 14:02 pts/1    00:00:00 -su

root      8262  7112  0 14:22 pts/1    00:00:00 ps -ef

```

I don't know what logs I should post, but pls tell me what you want to see and I reply with that.Last edited by Snappi on Tue Dec 05, 2006 8:20 pm; edited 1 time in total

----------

## PaulBredbury

 *Snappi wrote:*   

> I've been hacked

 

What has the guy done? Gained root privileges?

----------

## NeddySeagoon

Snappi,

How does the hacker get in ?

What makes you think you have been hacked ?

----------

## Snappi

I don't know how he gets in, but he writes to me in both X and in the terminal. I assume he has root privileges.

----------

## albright

probably best to wipe off the drive and reinstall ...

but if you can talk to the guy you could offer him

money to go away after explaining how s/he did it

----------

## Snappi

I have reinstalled the box 3 times in this order windows, gentoo, gentoo

He keps getting in everytime, I change passwords and usernames

----------

## NeddySeagoon

Snappi,

That may not mean you are hacked. Do you accept messages?

I forget the proper name for them but its like network broadcast messages that sysadmins use to tell users to log off while servers are being restarted. Your hacker may just be using that mechanism to set messages to your IP.

However, its a one way message. Are you able to write back ?

If so, thats more worrying.

The only way to clean up a compromised system is to reinstall from the beginning.

You should not even restore from backups unless you can date the compromise and use backups from before that date.

----------

## PaulBredbury

Money? Yeah right, hackers have such strong morals that the guy will probably give a 10% discount if asked nicely.

More detail is needed here. "Writes to me" is far too vague.

I block ports 6000:6255 and 177 for Xorg, and 22 for SSH.

----------

## Snappi

he writes to me and I can write back. he is watching this!ttt

----------

## NeddySeagoon

Snappi,

Thats not messages then.  There is no point in doing more installs until you find out who he is getting in.

You say you have Windows and Gentoo installed. Does ths happen under Windows and Gentoo, or only with one OS ?

Which one ?

----------

## Snappi

I don't know how he is getting in, I had windows and switch to gentoo so only installed OS is gentoo, but I he was able to get in trough both gentoo and windows.

how do I find out how he got in???

----------

## NeddySeagoon

Snappi,

Start by looking at your log files in /var/log exactly where you need to look depends on your logger.

You are looking for connection attempts

----------

## bodhaami

System logs are one source of information.

You can also always try to ask the standart linux tools. The most relevant are 

```
users
```

 and 

```
last
```

.

users should give you everybody logged into the system. The linux version reports every single instance when given no arguments (BSD vesion prints only the names of the users once).

That means that you should usually see your username several times if you have some xterms open because they are mostly bash -l bashes with a bit of graphics around  :Smile: .

Now count them and see if they match. If you have logged into your system and have two xterms then you should see three times your username. And NO root!

Far more useful should be last. run something like 

```
last | grep pty
```

 or 

```
last | grep "still logged in"
```

 Whatch out for usernames you don't know or for sessions you never did. And of course for occurances of root logins. You should also read the manpages. 

read the manpages of both to get more information out of them. What does the misterious guy tell you? What means: he's writing messages to you? By what means? Where do they appear?

----------

## dev-urandom

I would suggest a couple of more things. 

```
netstat -nlp
```

This as root will give you the list of all running servers, along with the process names and pid. Shut down all those that you don't want. Also, go through /etc/password - delete unwanted users and change the shell from /bin/bash to /sbin/nologin or /bin/false for all the users that don't need to login.

Run 

```
w
```

 to see the list of people logged in and from where they did it. See if this is an ssh session, and if so kill them. Disable root ssh access and shut it down unless you absolutely need it. And please explain what you mean by you can write messages to each other? If these are wall/broadcast messages then you have a true problem. I assume that they are not IM messages from gaim/kopete.

----------

## Snappi

/var/log files

```
localhost log # ls -ls

total 3980

  28 -rw-r--r-- 1 root    root      28231 Nov 18 14:09 Xorg.0.log

  28 -rw-r--r-- 1 root    root      28208 Nov 18 11:12 Xorg.0.log.old

  28 -rw-r--r-- 1 root    root      28012 Nov  8 20:34 Xorg.8.log

  28 -rw-r--r-- 1 root    root      27910 Nov  8 20:31 Xorg.8.log.old

  20 -rw-r----- 1 root    root      18179 Nov 18 13:32 dmesg

 360 -rw-rw---- 1 portage portage  360735 Nov 18 16:54 emerge.log

   8 -rw------- 1 root    root      32032 Nov 17 18:28 faillog

  28 -rw-r--r-- 1 root    root      28523 Nov 18 13:32 kdm.log

  20 -rw-r--r-- 1 root    root     292292 Nov 18 13:32 lastlog

3092 -rw------- 1 root    root    3160813 Nov 18 21:57 messages

   4 drwxr-xr-x 2 root    root       4096 Aug  3 11:22 news

   4 drwxrwx--- 2 root    portage    4096 Nov 12 16:00 sandbox

 332 -rw-rw-r-- 1 root    utmp     332160 Nov 18 13:32 wtmp

```

They only one I think is relevant is messages but I don't know, pls correct me if it's so. the problem is it contains 19000 lines. but I post todays log when I think he had access,

```
Nov 18 13:32:11 localhost syslog-ng[5093]: syslog-ng version 1.6.11 starting

Nov 18 13:32:11 localhost syslog-ng[5093]: Changing permissions on special file /dev/tty12

Nov 18 13:32:11 localhost Bootdata ok (command line is root=/dev/sda7)

Nov 18 13:32:11 localhost Linux version 2.6.17-gentoo-r8 (root@localhost) (gcc version 4.1.1 (Gentoo 4.1.1-r2)) #7 Fri Nov 17 23:26:10 CET 2006

Nov 18 13:32:11 localhost BIOS-provided physical RAM map:

Nov 18 13:32:11 localhost BIOS-e820: 0000000000000000 - 000000000009f800 (usable)

Nov 18 13:32:11 localhost BIOS-e820: 000000000009f800 - 00000000000a0000 (reserved)

Nov 18 13:32:11 localhost BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)

Nov 18 13:32:11 localhost BIOS-e820: 0000000000100000 - 000000003fff0000 (usable)

Nov 18 13:32:11 localhost BIOS-e820: 000000003fff0000 - 000000003fff3000 (ACPI NVS)

Nov 18 13:32:11 localhost BIOS-e820: 000000003fff3000 - 0000000040000000 (ACPI data)

Nov 18 13:32:11 localhost BIOS-e820: 00000000e0000000 - 00000000f0000000 (reserved)

Nov 18 13:32:11 localhost BIOS-e820: 00000000fec00000 - 0000000100000000 (reserved)

Nov 18 13:32:11 localhost DMI 2.3 present.

Nov 18 13:32:11 localhost ACPI: RSDP (v000 Nvidia                                ) @ 0x00000000000f9240

Nov 18 13:32:11 localhost ACPI: RSDT (v001 Nvidia AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x000000003fff3040

Nov 18 13:32:11 localhost ACPI: FADT (v001 Nvidia AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x000000003fff30c0

Nov 18 13:32:11 localhost ACPI: SSDT (v001 PTLTD  POWERNOW 0x00000001  LTP 0x00000001) @ 0x000000003fff9700

Nov 18 13:32:11 localhost ACPI: SRAT (v001 AMD    HAMMER   0x00000001 AMD  0x00000001) @ 0x000000003fff9840

Nov 18 13:32:11 localhost ACPI: MCFG (v001 Nvidia AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x000000003fff9940

Nov 18 13:32:11 localhost ACPI: MADT (v001 Nvidia AWRDACPI 0x42302e31 AWRD 0x00000000) @ 0x000000003fff9600

Nov 18 13:32:11 localhost ACPI: DSDT (v001 NVIDIA AWRDACPI 0x00001000 MSFT 0x0100000e) @ 0x0000000000000000

Nov 18 13:32:11 localhost On node 0 totalpages: 256918

Nov 18 13:32:11 localhost DMA zone: 2413 pages, LIFO batch:0

Nov 18 13:32:11 localhost DMA32 zone: 254505 pages, LIFO batch:31

Nov 18 13:32:11 localhost Nvidia board detected. Ignoring ACPI timer override.

Nov 18 13:32:11 localhost ACPI: PM-Timer IO Port: 0x4008

Nov 18 13:32:11 localhost ACPI: Local APIC address 0xfee00000

Nov 18 13:32:11 localhost ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)

Nov 18 13:32:11 localhost Processor #0 15:7 APIC version 16

Nov 18 13:32:11 localhost ACPI: LAPIC (acpi_id[0x01] lapic_id[0x01] disabled)

Nov 18 13:32:11 localhost ACPI: LAPIC (acpi_id[0x02] lapic_id[0x02] disabled)

Nov 18 13:32:11 localhost ACPI: LAPIC (acpi_id[0x03] lapic_id[0x03] disabled)

Nov 18 13:32:11 localhost ACPI: LAPIC_NMI (acpi_id[0x00] high edge lint[0x1])

Nov 18 13:32:11 localhost ACPI: LAPIC_NMI (acpi_id[0x01] high edge lint[0x1])

Nov 18 13:32:11 localhost ACPI: LAPIC_NMI (acpi_id[0x02] high edge lint[0x1])

Nov 18 13:32:11 localhost ACPI: LAPIC_NMI (acpi_id[0x03] high edge lint[0x1])

Nov 18 13:32:11 localhost ACPI: IOAPIC (id[0x04] address[0xfec00000] gsi_base[0])

Nov 18 13:32:11 localhost IOAPIC[0]: apic_id 4, version 17, address 0xfec00000, GSI 0-23

Nov 18 13:32:11 localhost ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)

Nov 18 13:32:11 localhost ACPI: INT_SRC_OVR (bus 0 bus_irq 14 global_irq 14 high edge)

Nov 18 13:32:11 localhost ACPI: INT_SRC_OVR (bus 0 bus_irq 15 global_irq 15 high edge)

Nov 18 13:32:11 localhost ACPI: IRQ9 used by override.

Nov 18 13:32:11 localhost ACPI: IRQ14 used by override.

Nov 18 13:32:11 localhost ACPI: IRQ15 used by override.

Nov 18 13:32:11 localhost Setting APIC routing to flat

Nov 18 13:32:11 localhost Using ACPI (MADT) for SMP configuration information

Nov 18 13:32:11 localhost Allocating PCI resources starting at 50000000 (gap: 40000000:a0000000)

Nov 18 13:32:11 localhost Checking aperture...

Nov 18 13:32:11 localhost CPU 0: aperture @ 203a000000 size 32 MB

Nov 18 13:32:11 localhost Aperture from northbridge cpu 0 too small (32 MB)

Nov 18 13:32:11 localhost No AGP bridge found

Nov 18 13:32:11 localhost Built 1 zonelists

Nov 18 13:32:11 localhost Kernel command line: root=/dev/sda7

Nov 18 13:32:11 localhost Initializing CPU#0

Nov 18 13:32:11 localhost PID hash table entries: 4096 (order: 12, 32768 bytes)

Nov 18 13:32:11 localhost time.c: Using 3.579545 MHz WALL PM GTOD PIT/TSC timer.

Nov 18 13:32:11 localhost time.c: Detected 2211.351 MHz processor.

Nov 18 13:32:11 localhost Console: colour VGA+ 80x25

Nov 18 13:32:11 localhost Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes)

Nov 18 13:32:11 localhost Inode-cache hash table entries: 65536 (order: 7, 524288 bytes)

Nov 18 13:32:11 localhost Memory: 1025432k/1048512k available (2794k kernel code, 22312k reserved, 1492k data, 188k init)

Nov 18 13:32:11 localhost Calibrating delay using timer specific routine.. 4425.34 BogoMIPS (lpj=8850684)

Nov 18 13:32:11 localhost Mount-cache hash table entries: 256

Nov 18 13:32:11 localhost CPU: L1 I Cache: 64K (64 bytes/line), D cache 64K (64 bytes/line)

Nov 18 13:32:11 localhost CPU: L2 Cache: 1024K (64 bytes/line)

Nov 18 13:32:11 localhost CPU: AMD Athlon(tm) 64 Processor 3700+ stepping 01

Nov 18 13:32:11 localhost Using local APIC timer interrupts.

Nov 18 13:32:11 localhost result 12564516

Nov 18 13:32:11 localhost Detected 12.564 MHz APIC timer.

Nov 18 13:32:11 localhost testing NMI watchdog ... OK.

Nov 18 13:32:11 localhost NET: Registered protocol family 16

Nov 18 13:32:11 localhost ACPI: bus type pci registered

Nov 18 13:32:11 localhost PCI: Using MMCONFIG at e0000000

Nov 18 13:32:11 localhost PCI: No mmconfig possible on device 0:18

Nov 18 13:32:11 localhost ACPI: Subsystem revision 20060127

Nov 18 13:32:11 localhost ACPI: Interpreter enabled

Nov 18 13:32:11 localhost ACPI: Using IOAPIC for interrupt routing

Nov 18 13:32:11 localhost ACPI: PCI Root Bridge [PCI0] (0000:00)

Nov 18 13:32:11 localhost PCI: Probing PCI hardware (bus 00)

Nov 18 13:32:11 localhost PCI: Transparent bridge - 0000:00:09.0

Nov 18 13:32:11 localhost Boot video device is 0000:05:00.0

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Routing Table [\_SB_.PCI0._PRT]

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Routing Table [\_SB_.PCI0.HUB0._PRT]

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LNK1] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LNK2] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LNK3] (IRQs 3 4 *5 7 9 10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LNK4] (IRQs 3 4 *5 7 9 10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LNK5] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LUBA] (IRQs 3 4 5 7 9 10 *11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LUBB] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LMAC] (IRQs 3 4 5 7 9 10 *11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LACI] (IRQs *3 4 5 7 9 10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LMCI] (IRQs 3 4 5 7 9 *10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LSMB] (IRQs 3 4 5 7 9 *10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LUB2] (IRQs *3 4 5 7 9 10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LIDE] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LSID] (IRQs 3 4 5 7 9 *10 11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LFID] (IRQs 3 4 5 7 9 10 *11 12 14 15)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [LPCA] (IRQs 3 4 5 7 9 10 11 12 14 15) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC1] (IRQs 16) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC2] (IRQs 17) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC3] (IRQs 18) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC4] (IRQs 19) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC5] (IRQs *16), disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCF] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCG] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCH] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCJ] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCK] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCS] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCL] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCZ] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APSI] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APSJ] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCP] (IRQs 20 21 22 23) *0, disabled.

Nov 18 13:32:11 localhost SCSI subsystem initialized

Nov 18 13:32:11 localhost usbcore: registered new driver usbfs

Nov 18 13:32:11 localhost usbcore: registered new driver hub

Nov 18 13:32:11 localhost PCI: Using ACPI for IRQ routing

Nov 18 13:32:11 localhost PCI: If a device doesn't work, try "pci=routeirq".  If it helps, post a report

Nov 18 13:32:11 localhost PCI-DMA: Disabling IOMMU.

Nov 18 13:32:11 localhost PCI: Bridge: 0000:00:09.0

Nov 18 13:32:11 localhost IO window: a000-afff

Nov 18 13:32:11 localhost MEM window: fde00000-fdefffff

Nov 18 13:32:11 localhost PREFETCH window: fdf00000-fdffffff

Nov 18 13:32:11 localhost PCI: Bridge: 0000:00:0b.0

Nov 18 13:32:11 localhost IO window: 9000-9fff

Nov 18 13:32:11 localhost MEM window: fdd00000-fddfffff

Nov 18 13:32:11 localhost PREFETCH window: fdc00000-fdcfffff

Nov 18 13:32:11 localhost PCI: Bridge: 0000:00:0c.0

Nov 18 13:32:11 localhost IO window: 8000-8fff

Nov 18 13:32:11 localhost MEM window: fdb00000-fdbfffff

Nov 18 13:32:11 localhost PREFETCH window: fda00000-fdafffff

Nov 18 13:32:11 localhost PCI: Bridge: 0000:00:0d.0

Nov 18 13:32:11 localhost IO window: 7000-7fff

Nov 18 13:32:11 localhost MEM window: fd900000-fd9fffff

Nov 18 13:32:11 localhost PREFETCH window: fd800000-fd8fffff

Nov 18 13:32:11 localhost PCI: Bridge: 0000:00:0e.0

Nov 18 13:32:11 localhost IO window: 6000-6fff

Nov 18 13:32:11 localhost MEM window: fa000000-fcffffff

Nov 18 13:32:11 localhost PREFETCH window: d0000000-dfffffff

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:09.0 to 64

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0b.0 to 64

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0c.0 to 64

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0d.0 to 64

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0e.0 to 64

Nov 18 13:32:11 localhost NET: Registered protocol family 2

Nov 18 13:32:11 localhost IP route cache hash table entries: 32768 (order: 6, 262144 bytes)

Nov 18 13:32:11 localhost TCP established hash table entries: 131072 (order: 8, 1048576 bytes)

Nov 18 13:32:11 localhost TCP bind hash table entries: 65536 (order: 7, 524288 bytes)

Nov 18 13:32:11 localhost TCP: Hash tables configured (established 131072 bind 65536)

Nov 18 13:32:11 localhost TCP reno registered

Nov 18 13:32:11 localhost IA32 emulation $Id: sys_ia32.c,v 1.32 2002/03/24 13:02:28 ak Exp $

Nov 18 13:32:11 localhost Total HugeTLB memory allocated, 0

Nov 18 13:32:11 localhost Installing knfsd (copyright (C) 1996 okir@monad.swb.de).

Nov 18 13:32:11 localhost io scheduler noop registered

Nov 18 13:32:11 localhost io scheduler deadline registered

Nov 18 13:32:11 localhost io scheduler cfq registered (default)

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0b.0 to 64

Nov 18 13:32:11 localhost pcie_portdrv_probe->Dev[005d:10de] has invalid IRQ. Check vendor BIOS

Nov 18 13:32:11 localhost assign_interrupt_mode Found MSI capability

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0b.0:pcie00]

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0b.0:pcie03]

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0c.0 to 64

Nov 18 13:32:11 localhost pcie_portdrv_probe->Dev[005d:10de] has invalid IRQ. Check vendor BIOS

Nov 18 13:32:11 localhost assign_interrupt_mode Found MSI capability

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0c.0:pcie00]

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0c.0:pcie03]

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0d.0 to 64

Nov 18 13:32:11 localhost pcie_portdrv_probe->Dev[005d:10de] has invalid IRQ. Check vendor BIOS

Nov 18 13:32:11 localhost assign_interrupt_mode Found MSI capability

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0d.0:pcie00]

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0d.0:pcie03]

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0e.0 to 64

Nov 18 13:32:11 localhost pcie_portdrv_probe->Dev[005d:10de] has invalid IRQ. Check vendor BIOS

Nov 18 13:32:11 localhost assign_interrupt_mode Found MSI capability

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0e.0:pcie00]

Nov 18 13:32:11 localhost Allocate Port Service[0000:00:0e.0:pcie03]

Nov 18 13:32:11 localhost Real Time Clock Driver v1.12ac

Nov 18 13:32:11 localhost Software Watchdog Timer: 0.07 initialized. soft_noboot=0 soft_margin=60 sec (nowayout= 0)

Nov 18 13:32:11 localhost Linux agpgart interface v0.101 (c) Dave Jones

Nov 18 13:32:11 localhost ACPI: Power Button (FF) [PWRF]

Nov 18 13:32:11 localhost ACPI: Power Button (CM) [PWRB]

Nov 18 13:32:11 localhost ACPI: Fan [FAN] (on)

Nov 18 13:32:11 localhost ACPI: Thermal Zone [THRM] (22 C)

Nov 18 13:32:11 localhost Serial: 8250/16550 driver $Revision: 1.90 $ 4 ports, IRQ sharing disabled

Nov 18 13:32:11 localhost serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A

Nov 18 13:32:11 localhost serio: i8042 AUX port at 0x60,0x64 irq 12

Nov 18 13:32:11 localhost serio: i8042 KBD port at 0x60,0x64 irq 1

Nov 18 13:32:11 localhost mice: PS/2 mouse device common for all mice

Nov 18 13:32:11 localhost FDC 0 is a post-1991 82077

Nov 18 13:32:11 localhost RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize

Nov 18 13:32:11 localhost loop: loaded (max 8 devices)

Nov 18 13:32:11 localhost Intel(R) PRO/1000 Network Driver - version 7.1.9-k4

Nov 18 13:32:11 localhost Copyright (c) 1999-2006 Intel Corporation.

Nov 18 13:32:11 localhost e100: Intel(R) PRO/100 Network Driver, 3.5.10-k2-NAPI

Nov 18 13:32:11 localhost e100: Copyright(c) 1999-2005 Intel Corporation

Nov 18 13:32:11 localhost forcedeth.c: Reverse Engineered nForce ethernet driver. Version 0.54.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCH] enabled at IRQ 23

Nov 18 13:32:11 localhost GSI 16 sharing vector 0xD9 and IRQ 16

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:0a.0[A] -> Link [APCH] -> GSI 23 (level, low) -> IRQ 217

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:0a.0 to 64

Nov 18 13:32:11 localhost forcedeth: using HIGHDMA

Nov 18 13:32:11 localhost eth0: forcedeth.c: subsystem: 01462:7125 bound to 0000:00:0a.0

Nov 18 13:32:11 localhost tun: Universal TUN/TAP device driver, 1.6

Nov 18 13:32:11 localhost tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>

Nov 18 13:32:11 localhost netconsole: not configured, aborting

Nov 18 13:32:11 localhost Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2

Nov 18 13:32:11 localhost ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx

Nov 18 13:32:11 localhost NFORCE-CK804: IDE controller at PCI slot 0000:00:06.0

Nov 18 13:32:11 localhost NFORCE-CK804: chipset revision 242

Nov 18 13:32:11 localhost NFORCE-CK804: not 100% native mode: will probe irqs later

Nov 18 13:32:11 localhost NFORCE-CK804: 0000:00:06.0 (rev f2) UDMA133 controller

Nov 18 13:32:11 localhost ide0: BM-DMA at 0xe000-0xe007, BIOS settings: hda:DMA, hdb:DMA

Nov 18 13:32:11 localhost ide1: BM-DMA at 0xe008-0xe00f, BIOS settings: hdc:DMA, hdd:DMA

Nov 18 13:32:11 localhost Probing IDE interface ide0...

Nov 18 13:32:11 localhost Probing IDE interface ide1...

Nov 18 13:32:11 localhost hdc: HL-DT-STDVDRRW GWA-4164B, ATAPI CD/DVD-ROM drive

Nov 18 13:32:11 localhost ide1 at 0x170-0x177,0x376 on irq 15

Nov 18 13:32:11 localhost Probing IDE interface ide0...

Nov 18 13:32:11 localhost hdc: ATAPI 40X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33)

Nov 18 13:32:11 localhost Uniform CD-ROM driver Revision: 3.20

Nov 18 13:32:11 localhost megaraid cmm: 2.20.2.6 (Release Date: Mon Mar 7 00:01:03 EST 2005)

Nov 18 13:32:11 localhost megaraid: 2.20.4.8 (Release Date: Mon Apr 11 12:27:22 EST 2006)

Nov 18 13:32:11 localhost megasas: 00.00.02.04 Fri Feb 03 14:31:44 PST 2006

Nov 18 13:32:11 localhost libata version 1.20 loaded.

Nov 18 13:32:11 localhost sata_nv 0000:00:07.0: version 0.8

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APSI] enabled at IRQ 22

Nov 18 13:32:11 localhost GSI 17 sharing vector 0xE1 and IRQ 17

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:07.0[A] -> Link [APSI] -> GSI 22 (level, low) -> IRQ 225

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:07.0 to 64

Nov 18 13:32:11 localhost ata1: SATA max UDMA/133 cmd 0x9F0 ctl 0xBF2 bmdma 0xCC00 irq 225

Nov 18 13:32:11 localhost ata2: SATA max UDMA/133 cmd 0x970 ctl 0xB72 bmdma 0xCC08 irq 225

Nov 18 13:32:11 localhost ata1: SATA link up 3.0 Gbps (SStatus 123)

Nov 18 13:32:11 localhost ata1: dev 0 cfg 49:2f00 82:746b 83:7f01 84:4023 85:7469 86:3c01 87:4023 88:40ff

Nov 18 13:32:11 localhost ata1: dev 0 ATA-7, max UDMA7, 488397168 sectors: LBA48

Nov 18 13:32:11 localhost nv_sata: Primary device added

Nov 18 13:32:11 localhost nv_sata: Primary device removed

Nov 18 13:32:11 localhost nv_sata: Secondary device added

Nov 18 13:32:11 localhost nv_sata: Secondary device removed

Nov 18 13:32:11 localhost ata1: dev 0 configured for UDMA/133

Nov 18 13:32:11 localhost scsi0 : sata_nv

Nov 18 13:32:11 localhost ata2: SATA link down (SStatus 0)

Nov 18 13:32:11 localhost scsi1 : sata_nv

Nov 18 13:32:11 localhost Vendor: ATA       Model: SAMSUNG SP2504C   Rev: VT10

Nov 18 13:32:11 localhost Type:   Direct-Access                      ANSI SCSI revision: 05

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APSJ] enabled at IRQ 21

Nov 18 13:32:11 localhost GSI 18 sharing vector 0xE9 and IRQ 18

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:08.0[A] -> Link [APSJ] -> GSI 21 (level, low) -> IRQ 233

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:08.0 to 64

Nov 18 13:32:11 localhost ata3: SATA max UDMA/133 cmd 0x9E0 ctl 0xBE2 bmdma 0xB800 irq 233

Nov 18 13:32:11 localhost ata4: SATA max UDMA/133 cmd 0x960 ctl 0xB62 bmdma 0xB808 irq 233

Nov 18 13:32:11 localhost ata3: SATA link down (SStatus 0)

Nov 18 13:32:11 localhost scsi2 : sata_nv

Nov 18 13:32:11 localhost ata4: SATA link down (SStatus 0)

Nov 18 13:32:11 localhost scsi3 : sata_nv

Nov 18 13:32:11 localhost SCSI device sda: 488397168 512-byte hdwr sectors (250059 MB)

Nov 18 13:32:11 localhost sda: Write Protect is off

Nov 18 13:32:11 localhost sda: Mode Sense: 00 3a 00 00

Nov 18 13:32:11 localhost SCSI device sda: drive cache: write back

Nov 18 13:32:11 localhost SCSI device sda: 488397168 512-byte hdwr sectors (250059 MB)

Nov 18 13:32:11 localhost sda: Write Protect is off

Nov 18 13:32:11 localhost sda: Mode Sense: 00 3a 00 00

Nov 18 13:32:11 localhost SCSI device sda: drive cache: write back

Nov 18 13:32:11 localhost sda: sda1 < sda5 sda6 sda7 > sda2 sda3

Nov 18 13:32:11 localhost sd 0:0:0:0: Attached scsi disk sda

Nov 18 13:32:11 localhost Fusion MPT base driver 3.03.09

Nov 18 13:32:11 localhost Copyright (c) 1999-2005 LSI Logic Corporation

Nov 18 13:32:11 localhost Fusion MPT SPI Host driver 3.03.09

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC4] enabled at IRQ 19

Nov 18 13:32:11 localhost GSI 19 sharing vector 0x32 and IRQ 19

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:01:0c.0[A] -> Link [APC4] -> GSI 19 (level, low) -> IRQ 50

Nov 18 13:32:11 localhost PCI: VIA IRQ fixup for 0000:01:0c.0, from 5 to 2

Nov 18 13:32:11 localhost ohci1394: fw-host0: OHCI-1394 1.0 (PCI): IRQ=[50]  MMIO=[fdeff000-fdeff7ff]  Max Packet=[2048]  IR/IT contexts=[4/8]

Nov 18 13:32:11 localhost ieee1394: raw1394: /dev/raw1394 device initialized

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCL] enabled at IRQ 20

Nov 18 13:32:11 localhost GSI 20 sharing vector 0x3A and IRQ 20

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:02.1[B] -> Link [APCL] -> GSI 20 (level, low) -> IRQ 58

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:02.1 to 64

Nov 18 13:32:11 localhost ehci_hcd 0000:00:02.1: EHCI Host Controller

Nov 18 13:32:11 localhost ehci_hcd 0000:00:02.1: new USB bus registered, assigned bus number 1

Nov 18 13:32:11 localhost ehci_hcd 0000:00:02.1: debug port 1

Nov 18 13:32:11 localhost PCI: cache line size of 64 is not supported by device 0000:00:02.1

Nov 18 13:32:11 localhost ehci_hcd 0000:00:02.1: irq 58, io mem 0xfeb00000

Nov 18 13:32:11 localhost ehci_hcd 0000:00:02.1: USB 2.0 started, EHCI 1.00, driver 10 Dec 2004

Nov 18 13:32:11 localhost usb usb1: configuration #1 chosen from 1 choice

Nov 18 13:32:11 localhost hub 1-0:1.0: USB hub found

Nov 18 13:32:11 localhost hub 1-0:1.0: 10 ports detected

Nov 18 13:32:11 localhost ohci_hcd: 2005 April 22 USB 1.1 'Open' Host Controller (OHCI) Driver (PCI)

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCF] enabled at IRQ 23

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:02.0[A] -> Link [APCF] -> GSI 23 (level, low) -> IRQ 217

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:02.0 to 64

Nov 18 13:32:11 localhost ohci_hcd 0000:00:02.0: OHCI Host Controller

Nov 18 13:32:11 localhost ohci_hcd 0000:00:02.0: new USB bus registered, assigned bus number 2

Nov 18 13:32:11 localhost ohci_hcd 0000:00:02.0: irq 217, io mem 0xfe02f000

Nov 18 13:32:11 localhost usb usb2: configuration #1 chosen from 1 choice

Nov 18 13:32:11 localhost hub 2-0:1.0: USB hub found

Nov 18 13:32:11 localhost hub 2-0:1.0: 10 ports detected

Nov 18 13:32:11 localhost USB Universal Host Controller Interface driver v3.0

Nov 18 13:32:11 localhost Initializing USB Mass Storage driver...

Nov 18 13:32:11 localhost usb 1-3: new high speed USB device using ehci_hcd and address 3

Nov 18 13:32:11 localhost ieee1394: Host added: ID:BUS[0-00:1023]  GUID[0010dc0000cc4fa5]

Nov 18 13:32:11 localhost hub 1-0:1.0: Cannot enable port 3.  Maybe the USB cable is bad?

Nov 18 13:32:11 localhost hub 1-0:1.0: Cannot enable port 3.  Maybe the USB cable is bad?

Nov 18 13:32:11 localhost usb 1-3: new high speed USB device using ehci_hcd and address 5

Nov 18 13:32:11 localhost usb 1-3: device not accepting address 5, error -71

Nov 18 13:32:11 localhost usb 1-3: new high speed USB device using ehci_hcd and address 6

Nov 18 13:32:11 localhost usb 1-3: device not accepting address 6, error -71

Nov 18 13:32:11 localhost usb 2-2: new low speed USB device using ohci_hcd and address 2

Nov 18 13:32:11 localhost usb 2-2: configuration #1 chosen from 1 choice

Nov 18 13:32:11 localhost usb 2-9: new low speed USB device using ohci_hcd and address 3

Nov 18 13:32:11 localhost usb 2-9: configuration #1 chosen from 1 choice

Nov 18 13:32:11 localhost usbcore: registered new driver usb-storage

Nov 18 13:32:11 localhost USB Mass Storage support registered.

Nov 18 13:32:11 localhost input: G-Tech CHINA    USB Wireless Mouse & KeyBoard V1.01   as /class/input/input0

Nov 18 13:32:11 localhost input: USB HID v1.00 Keyboard [G-Tech CHINA    USB Wireless Mouse & KeyBoard V1.01  ] on usb-0000:00:02.0-2

Nov 18 13:32:11 localhost input: G-Tech CHINA    USB Wireless Mouse & KeyBoard V1.01   as /class/input/input1

Nov 18 13:32:11 localhost input: USB HID v1.00 Mouse [G-Tech CHINA    USB Wireless Mouse & KeyBoard V1.01  ] on usb-0000:00:02.0-2

Nov 18 13:32:11 localhost input: Microsoft Microsoft IntelliMouse® Optical as /class/input/input2

Nov 18 13:32:11 localhost input: USB HID v1.00 Mouse [Microsoft Microsoft IntelliMouse® Optical] on usb-0000:00:02.0-9

Nov 18 13:32:11 localhost usbcore: registered new driver usbhid

Nov 18 13:32:11 localhost drivers/usb/input/hid-core.c: v2.6:USB HID core driver

Nov 18 13:32:11 localhost device-mapper: 4.6.0-ioctl (2006-02-17) initialised: dm-devel@redhat.com

Nov 18 13:32:11 localhost Intel 810 + AC97 Audio, version 1.01, 23:24:46 Nov 17 2006

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APCJ] enabled at IRQ 22

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:00:04.0[A] -> Link [APCJ] -> GSI 22 (level, low) -> IRQ 225

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:00:04.0 to 64

Nov 18 13:32:11 localhost i810: NVIDIA nForce Audio found at IO 0xec00 and 0xf000, MEM 0x0000 and 0x0000, IRQ 225

Nov 18 13:32:11 localhost i810_audio: Audio Controller supports 6 channels.

Nov 18 13:32:11 localhost i810_audio: Defaulting to base 2 channel mode.

Nov 18 13:32:11 localhost i810_audio: Resetting connection 0

Nov 18 13:32:11 localhost ac97_codec: AC97  codec, id: ALG144 (Unknown)

Nov 18 13:32:11 localhost i810_audio: only 48Khz playback available.

Nov 18 13:32:11 localhost i810_audio: AC'97 codec 0 Unable to map surround DAC's (or DAC's not present), total channels = 2

Nov 18 13:32:11 localhost oprofile: using NMI interrupt.

Nov 18 13:32:11 localhost ip_conntrack version 2.4 (4095 buckets, 32760 max) - 280 bytes per conntrack

Nov 18 13:32:11 localhost TCP bic registered

Nov 18 13:32:11 localhost NET: Registered protocol family 1

Nov 18 13:32:11 localhost NET: Registered protocol family 10

Nov 18 13:32:11 localhost IPv6 over IPv4 tunneling driver

Nov 18 13:32:11 localhost NET: Registered protocol family 17

Nov 18 13:32:11 localhost powernow-k8: Found 1 AMD Athlon 64 / Opteron processors (version 1.60.2)

Nov 18 13:32:11 localhost powernow-k8:    0 : fid 0xe (2200 MHz), vid 0x6 (1400 mV)

Nov 18 13:32:11 localhost powernow-k8:    1 : fid 0xc (2000 MHz), vid 0x8 (1350 mV)

Nov 18 13:32:11 localhost powernow-k8:    2 : fid 0xa (1800 MHz), vid 0xa (1300 mV)

Nov 18 13:32:11 localhost powernow-k8:    3 : fid 0x2 (1000 MHz), vid 0x12 (1100 mV)

Nov 18 13:32:11 localhost cpu_init done, current fid 0xe, vid 0x6

Nov 18 13:32:11 localhost ACPI wakeup devices: 

Nov 18 13:32:11 localhost HUB0 XVR0 XVR1 XVR2 XVR3 USB0 USB2 MMAC MMCI UAR1 

Nov 18 13:32:11 localhost ACPI: (supports S0 S3 S4 S5)

Nov 18 13:32:11 localhost VFS: Mounted root (ext2 filesystem) readonly.

Nov 18 13:32:11 localhost Freeing unused kernel memory: 188k freed

Nov 18 13:32:11 localhost nvidia: module license 'NVIDIA' taints kernel.

Nov 18 13:32:11 localhost ACPI: PCI Interrupt Link [APC3] enabled at IRQ 18

Nov 18 13:32:11 localhost GSI 21 sharing vector 0x42 and IRQ 21

Nov 18 13:32:11 localhost ACPI: PCI Interrupt 0000:05:00.0[A] -> Link [APC3] -> GSI 18 (level, low) -> IRQ 66

Nov 18 13:32:11 localhost PCI: Setting latency timer of device 0000:05:00.0 to 64

Nov 18 13:32:11 localhost NVRM: loading NVIDIA Linux x86_64 Kernel Module  1.0-9629  Wed Nov  1 19:27:33 PST 2006

Nov 18 13:32:11 localhost ip_tables: (C) 2000-2006 Netfilter Core Team

Nov 18 13:32:11 localhost Adding 506008k swap on /dev/sda6.  Priority:-1 extents:1 across:506008k

Nov 18 13:32:18 localhost cron[6087]: (CRON) STARTUP (V5.0)

Nov 18 13:32:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9846 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:32:22 localhost eth0: no IPv6 routers present

Nov 18 13:32:26 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=24.87.27.75 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=17678 PROTO=TCP SPT=1379 DPT=54070 WINDOW=0 RES=0x00 RST URGP=0 

Nov 18 13:32:29 localhost kdm: :0[5665]: pam_unix(kde:session): session opened for user sim by (uid=0)

Nov 18 13:32:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9847 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:32:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9848 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:33:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9849 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:33:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9850 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:33:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9851 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:33:35 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=60778 DF PROTO=TCP SPT=3059 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:33:38 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=60875 DF PROTO=TCP SPT=3059 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:33:44 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=61094 DF PROTO=TCP SPT=3059 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:33:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9852 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:34:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9853 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:34:19 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=63117 DF PROTO=TCP SPT=3167 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:34:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9854 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:34:22 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=63194 DF PROTO=TCP SPT=3167 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:34:27 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.237.132.209 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=63402 DF PROTO=TCP SPT=3167 DPT=54070 WINDOW=64240 RES=0x00 SYN URGP=0 

Nov 18 13:34:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9855 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:34:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9856 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:35:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9857 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:35:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9858 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:35:33 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=43113 DF PROTO=TCP SPT=2261 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:35:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9859 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:35:36 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=43184 DF PROTO=TCP SPT=2261 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:35:42 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=43332 DF PROTO=TCP SPT=2261 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:35:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9860 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:36:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9861 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:36:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9862 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:36:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9863 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:36:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9864 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:37:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9865 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:37:13 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50774 DF PROTO=TCP SPT=33469 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:16 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=50864 DF PROTO=TCP SPT=33469 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:19 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=213.213.139.178 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=7083 DF PROTO=TCP SPT=49174 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9866 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:37:21 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=213.213.139.178 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=7139 DF PROTO=TCP SPT=49174 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:22 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=51066 DF PROTO=TCP SPT=33469 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:27 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=213.213.139.178 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=107 ID=7272 DF PROTO=TCP SPT=49174 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:37:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9867 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:37:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9868 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:38:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9869 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:38:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9870 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:38:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9871 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:38:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9872 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:39:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9873 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:39:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9874 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:39:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9875 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:39:38 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=55449 DF PROTO=TCP SPT=32792 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:39:41 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=55543 DF PROTO=TCP SPT=32792 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:39:47 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=195.0.171.138 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=55728 DF PROTO=TCP SPT=32792 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:39:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9876 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:39:59 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=154.20.50.177 DST=192.168.0.99 LEN=70 TOS=0x00 PREC=0x00 TTL=109 ID=6079 PROTO=UDP SPT=60032 DPT=54070 LEN=50 

Nov 18 13:40:01 localhost cron[6305]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 13:40:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9877 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:40:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9878 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:40:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9879 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:40:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9880 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:41:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9881 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:41:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9882 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:41:31 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=41.223.244.245 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=20388 DF PROTO=TCP SPT=2172 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:41:34 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=41.223.244.245 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=20505 DF PROTO=TCP SPT=2172 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:41:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9883 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:41:40 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=41.223.244.245 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=20716 DF PROTO=TCP SPT=2172 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:41:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9884 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:42:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9885 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:42:10 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=52930 DF PROTO=TCP SPT=2558 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:42:13 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=53002 DF PROTO=TCP SPT=2558 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:42:19 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=201.51.107.72 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=53149 DF PROTO=TCP SPT=2558 DPT=54070 WINDOW=64512 RES=0x00 SYN URGP=0 

Nov 18 13:42:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9886 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:42:28 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=85.24.219.213 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=41340 DF PROTO=TCP SPT=4629 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:42:31 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=85.24.219.213 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=42058 DF PROTO=TCP SPT=4629 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:42:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9887 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:42:37 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=85.24.219.213 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=43560 DF PROTO=TCP SPT=4629 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:42:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9888 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:43:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9889 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:43:14 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=24.87.27.75 DST=192.168.0.99 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=1222 PROTO=TCP SPT=1648 DPT=54070 WINDOW=0 RES=0x00 RST URGP=0 

Nov 18 13:43:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9890 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:43:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9891 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:43:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9892 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:44:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9893 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:44:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9894 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:44:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9895 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:44:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9896 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:44:53 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.72.156.147 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=50214 DF PROTO=TCP SPT=6881 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:44:56 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.72.156.147 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=50463 DF PROTO=TCP SPT=6881 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:45:02 localhost KMF: IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=82.72.156.147 DST=192.168.0.99 LEN=48 TOS=0x00 PREC=0x00 TTL=117 ID=51032 DF PROTO=TCP SPT=6881 DPT=54070 WINDOW=65535 RES=0x00 SYN URGP=0 

Nov 18 13:45:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9897 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:45:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9898 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:45:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9899 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:45:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9900 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:46:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9901 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:46:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9902 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:46:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9903 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:46:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9904 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:47:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9905 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:47:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9906 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:47:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9907 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:47:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9908 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:48:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9909 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:48:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9910 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:48:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9911 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:48:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9912 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:49:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9913 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:49:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9914 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:49:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9915 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:49:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9916 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

```

----------

## Snappi

```
Nov 18 13:50:01 localhost cron[6582]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 13:50:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9917 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:50:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9918 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:50:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9919 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:50:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9920 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:51:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9921 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:51:19 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9922 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:51:34 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9923 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:51:49 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9924 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:52:04 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9925 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:52:20 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9926 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:52:35 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9927 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:52:50 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9928 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:53:05 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9929 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:53:20 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9930 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:53:35 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9931 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:53:50 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9932 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:54:05 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9933 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:54:20 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9934 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:54:35 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9935 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:54:50 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9936 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:55:05 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9937 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:55:20 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9938 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:55:35 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9939 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:55:47 localhost su[6598]: Successful su for root by sim

Nov 18 13:55:47 localhost su[6598]: + pts/2 sim:root

Nov 18 13:55:47 localhost su[6598]: pam_unix(su:session): session opened for user root by (uid=1000)

Nov 18 13:55:50 localhost KMF: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:c0:71:36:86:5d:bd:08:00 SRC=192.168.0.63 DST=192.168.0.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64 ID=9940 PROTO=UDP SPT=7335 DPT=7335 LEN=16 

Nov 18 13:55:54 localhost (root-6606): starting (version 2.14.0), pid 6606 user 'root'

Nov 18 13:55:54 localhost (root-6606): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0

Nov 18 13:55:54 localhost (root-6606): Resolved address "xml:readwrite:/root/.gconf" to a writable configuration source at position 1

Nov 18 13:55:54 localhost (root-6606): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2

Nov 18 13:56:44 localhost (sim-6824): starting (version 2.14.0), pid 6824 user 'sim'

Nov 18 13:56:44 localhost (sim-6824): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only configuration source at position 0

Nov 18 13:56:44 localhost (sim-6824): Resolved address "xml:readwrite:/home/sim/.gconf" to a writable configuration source at position 1

Nov 18 13:56:44 localhost (sim-6824): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configuration source at position 2

Nov 18 14:00:01 localhost cron[7084]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:00:01 localhost cron[7086]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Nov 18 14:02:48 localhost su[7109]: Successful su for root by sim

Nov 18 14:02:48 localhost su[7109]: + pts/1 sim:root

Nov 18 14:02:48 localhost su[7109]: pam_unix(su:session): session opened for user root by (uid=1000)

Nov 18 14:10:01 localhost cron[7152]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:13:07 localhost eth0: link down.

Nov 18 14:14:17 localhost eth0: link up.

Nov 18 14:16:27 localhost eth0: link down.

Nov 18 14:20:01 localhost cron[8246]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:24:34 localhost eth0: link up.

Nov 18 14:30:01 localhost cron[8291]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:40:01 localhost cron[8314]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:50:01 localhost cron[8356]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 14:52:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:52:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:52:41 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.67.250 LEN=197 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=32876 DPT=16680 LEN=177 

Nov 18 14:52:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:52:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:52:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:52:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:53:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:53:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:53:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:53:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:53:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:53:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:53:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:54:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:54:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:54:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:54:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:54:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:54:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:54:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:55:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:55:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:55:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:55:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:55:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:55:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:55:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:56:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:56:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:56:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:56:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:56:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:56:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:56:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:57:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:57:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:57:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:57:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:57:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:57:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:57:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:58:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:58:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:58:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:58:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:58:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:58:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:58:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:59:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 14:59:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 14:59:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 14:59:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 14:59:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 14:59:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 14:59:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 15:00:01 localhost cron[8586]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )

Nov 18 15:00:01 localhost cron[8588]: (root) CMD (rm -f /var/spool/cron/lastrun/cron.hourly)

Nov 18 15:00:40 localhost Inbound IN=eth0 OUT= MAC= SRC=192.168.0.99 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 

Nov 18 15:00:40 localhost Inbound IN=eth0 OUT= MAC=00:13:d3:a4:b5:f7:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=192.168.0.99 LEN=295 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=1900 DPT=8008 LEN=275 

Nov 18 15:00:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=304 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=284 

Nov 18 15:00:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 

Nov 18 15:00:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=376 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=356 

Nov 18 15:00:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=368 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=348 

Nov 18 15:00:41 localhost Inbound IN=eth0 OUT= MAC=01:00:5e:7f:ff:fa:00:14:bf:b2:2d:be:08:00 SRC=192.168.0.1 DST=239.255.255.250 LEN=299 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=1900 DPT=1900 LEN=279 
```

----------

## Snappi

users

```
sim
```

wichs seems fine

last

```
sim      :0                            Sat Nov 18 13:32   still logged in

reboot   system boot  2.6.17-gentoo-r8 Sat Nov 18 13:32          (08:42)

sim      :0                            Sat Nov 18 11:11 - 11:12  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Sat Nov 18 11:11          (00:01)

sim      :0                            Sat Nov 18 02:44 - 02:45  (00:01)

sim      :0                            Sat Nov 18 01:29 - 02:44  (01:14)

sim      :0                            Fri Nov 17 23:32 - 01:29  (01:57)

reboot   system boot  2.6.17-gentoo-r8 Fri Nov 17 23:31          (03:13)

sim      :0                            Fri Nov 17 21:24 - 23:31  (02:07)

reboot   system boot  2.6.17-gentoo-r8 Fri Nov 17 21:23          (02:07)

root     tty2                          Fri Nov 17 18:28 - down   (02:55)

root     tty2                          Fri Nov 17 18:28 - 18:28  (00:00)

root     tty1                          Fri Nov 17 18:18 - 18:34  (00:15)

root     tty1                          Fri Nov 17 18:18 - 18:18  (00:00)

sim      :0                            Fri Nov 17 18:16 - 18:18  (00:01)

reboot   system boot  2.6.17-gentoo-r8 Fri Nov 17 18:16          (03:06)

sim      :0                            Thu Nov 16 19:55 - 01:18  (05:23)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov 16 19:54          (05:24)

root     pts/1        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:53 - 19:53  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:49 - 19:49  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:49 - 19:49  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:49 - 19:49  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:48 - 19:48  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:48 - 19:48  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:48 - 19:48  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:47 - 19:47  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:46 - 19:46  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:46 - 19:46  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:46 - 19:46  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:44 - 19:44  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:44 - 19:44  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:44 - 19:44  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:44 - 19:44  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:42 - 19:42  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:42 - 19:42  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:42 - 19:42  (00:00)

root     pts/2        :0.0             Thu Nov 16 19:40 - 19:40  (00:00)

root     pts/0        :0.0             Thu Nov 16 19:40 - 19:40  (00:00)

root     pts/1        :0.0             Thu Nov 16 19:40 - 19:40  (00:00)

root     tty2                          Thu Nov 16 19:39 - down   (00:14)

root     tty2                          Thu Nov 16 19:39 - 19:39  (00:00)

root     tty1                          Thu Nov 16 19:39 - down   (00:14)

root     tty1                          Thu Nov 16 19:39 - 19:39  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov 16 19:39          (00:14)

root     tty1                          Thu Nov 16 19:38 - down   (00:00)

root     tty1                          Thu Nov 16 19:38 - 19:38  (00:00)

sim      :0                            Thu Nov 16 17:08 - 19:37  (02:29)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov 16 17:07          (02:30)

sim      :0                            Tue Nov 14 23:31 - 15:51  (16:20)

reboot   system boot  2.6.17-gentoo-r8 Tue Nov 14 23:30          (16:20)

sim      :0                            Mon Nov 13 18:44 - 17:41  (22:57)

reboot   system boot  2.6.17-gentoo-r8 Mon Nov 13 18:42          (22:58)

sim      :0                            Mon Nov 13 00:57 - 02:52  (01:55)

reboot   system boot  2.6.17-gentoo-r8 Mon Nov 13 00:56          (01:56)

sim      tty3                          Sun Nov 12 22:15 - 22:19  (00:03)

sim      tty3                          Sun Nov 12 22:15 - 22:15  (00:00)

root     tty2                          Sun Nov 12 18:35 - 00:52  (06:17)

root     tty2                          Sun Nov 12 18:35 - 18:35  (00:00)

root     tty2                          Sun Nov 12 17:04 - 17:07  (00:02)

root     tty2                          Sun Nov 12 17:04 - 17:04  (00:00)

sim      tty2                          Sun Nov 12 17:02 - 17:04  (00:01)

sim      tty2                          Sun Nov 12 17:02 - 17:02  (00:00)

root     tty2                          Sun Nov 12 17:01 - 17:02  (00:01)

root     tty2                          Sun Nov 12 17:01 - 17:01  (00:00)

root     tty1                          Sun Nov 12 15:41 - down   (09:11)

root     tty1                          Sun Nov 12 15:41 - 15:41  (00:00)

sim      :0                            Thu Nov  9 02:05 - 15:40 (3+13:35)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov  9 02:04         (3+22:48)

sim      :0                            Thu Nov  9 01:43 - 02:04  (00:20)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov  9 01:43          (00:20)

sim      :0                            Thu Nov  9 00:30 - 01:42  (01:11)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov  9 00:29          (01:12)

root     tty1                          Thu Nov  9 00:22 - down   (00:06)

root     tty1                          Thu Nov  9 00:22 - 00:22  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov  9 00:22          (00:07)

root     tty1                          Thu Nov  9 01:04 - down   (00:16)

root     tty1                          Thu Nov  9 01:04 - 01:04  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Thu Nov  9 00:58          (00:23)

root     pts/1        :0.0             Wed Nov  8 20:35 - 20:40  (00:05)

root     pts/2        :0.0             Wed Nov  8 20:35 - 20:40  (00:05)

root     pts/0        :0.0             Wed Nov  8 20:35 - 20:40  (00:05)

root     pts/2        :0.0             Wed Nov  8 20:27 - 20:30  (00:03)

root     pts/1        :0.0             Wed Nov  8 20:27 - 20:30  (00:03)

root     pts/0        :0.0             Wed Nov  8 20:27 - 20:30  (00:03)

root     pts/2        :0.0             Wed Nov  8 20:03 - 20:04  (00:00)

root     pts/1        :0.0             Wed Nov  8 20:03 - 20:04  (00:00)

root     pts/0        :0.0             Wed Nov  8 20:03 - 20:04  (00:00)

root     tty2                          Wed Nov  8 20:00 - down   (01:16)

root     tty2                          Wed Nov  8 20:00 - 20:00  (00:00)

root     pts/2        :0.0             Wed Nov  8 19:53 - 19:53  (00:00)

root     pts/0        :0.0             Wed Nov  8 19:53 - 19:53  (00:00)

root     pts/1        :0.0             Wed Nov  8 19:53 - 19:53  (00:00)

root     tty1                          Wed Nov  8 19:41 - down   (01:35)

root     tty1                          Wed Nov  8 19:41 - 19:41  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Wed Nov  8 19:31          (01:44)

root     tty2                          Wed Nov  8 13:16 - down   (02:13)

root     tty2                          Wed Nov  8 13:16 - 13:16  (00:00)

root     pts/2        :0.0             Wed Nov  8 13:14 - 13:24  (00:09)

root     pts/0        :0.0             Wed Nov  8 13:14 - 13:24  (00:09)

root     pts/1        :0.0             Wed Nov  8 13:14 - 13:24  (00:09)

root     tty1                          Wed Nov  8 12:49 - down   (02:40)

root     tty1                          Wed Nov  8 12:49 - 12:49  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Wed Nov  8 12:35          (02:54)

root     tty2                          Wed Nov  8 04:24 - down   (00:40)

root     tty2                          Wed Nov  8 04:24 - 04:24  (00:00)

root     tty1                          Wed Nov  8 04:20 - down   (00:44)

root     tty1                          Wed Nov  8 04:20 - 04:20  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Wed Nov  8 04:20          (00:44)

root     tty2                          Wed Nov  8 03:19 - down   (00:00)

root     tty2                          Wed Nov  8 03:19 - 03:19  (00:00)

root     tty1                          Wed Nov  8 01:23 - down   (01:56)

root     tty1                          Wed Nov  8 01:23 - 01:23  (00:00)

reboot   system boot  2.6.17-gentoo-r8 Wed Nov  8 01:22          (01:56)

wtmp begins Wed Nov  8 01:22:57 2006

```

only user I have created is sim

netstat -nlp

```
Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 ::ffff:127.0.0.1:6880   :::*                    LISTEN      8376/java

tcp        0      0 ::ffff:127.0.0.1:45100  :::*                    LISTEN      8376/java

tcp        0      0 :::54070                :::*                    LISTEN      8376/java

udp        0      0 :::16680                :::*                                8376/java

udp        0      0 :::54070                :::*                                8376/java

udp        0      0 ::ffff:192.168.0.9:8008 :::*                                8376/java

udp        0      0 :::1900                 :::*                                8376/java

udp        0      0 ::ffff:192.168.0.:32876 :::*                                8376/java

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     75377  14138/gconfd-2      /tmp/orbit-sim/linc-373a-0-756ab4fc43457

unix  2      [ ACC ]     STREAM     LISTENING     75386  14133/firefox-bin   /tmp/orbit-sim/linc-3735-0-478cdaad4962f

unix  2      [ ACC ]     STREAM     LISTENING     11459  6232/dbus-daemon    @/tmp/dbus-9b76ybTl1t

unix  2      [ ACC ]     STREAM     LISTENING     10731  5664/X              /tmp/.X11-unix/X0

unix  2      [ ACC ]     STREAM     LISTENING     10102  5093/syslog-ng      /dev/log

unix  2      [ ACC ]     STREAM     LISTENING     10726  5661/kdm            /var/run/xdmctl/dmctl/socket

unix  2      [ ACC ]     STREAM     LISTENING     10735  5661/kdm            /var/run/xdmctl/dmctl-:0/socket

unix  2      [ ACC ]     STREAM     LISTENING     11497  6251/kdeinit Runnin /tmp/ksocket-sim/kdeinit__0

unix  2      [ ACC ]     STREAM     LISTENING     11499  6251/kdeinit Runnin /tmp/ksocket-sim/kdeinit-:0

unix  2      [ ACC ]     STREAM     LISTENING     11506  6254/dcopserver [kd /tmp/.ICE-unix/dcop6254-1163853150

unix  2      [ ACC ]     STREAM     LISTENING     11596  6265/ksmserver [kde /tmp/.ICE-unix/6265

unix  2      [ ACC ]     STREAM     LISTENING     11527  6256/klauncher [kde /tmp/ksocket-sim/klauncherizfGjc.slave-socket

unix  2      [ ACC ]     STREAM     LISTENING     12363  6606/gconfd-2       /tmp/orbit-root/linc-19ce-0-2a91f05cc0779

unix  2      [ ACC ]     STREAM     LISTENING     12369  6604/firestarter    /tmp/orbit-root/linc-19cc-0-2b61e47cce01a

```

/etc/passwd

```
root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/bin/false

daemon:x:2:2:daemon:/sbin:/bin/false

adm:x:3:4:adm:/var/adm:/bin/false

lp:x:4:7:lp:/var/spool/lpd:/bin/false

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/bin/false

news:x:9:13:news:/usr/lib/news:/bin/false

uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false

operator:x:11:0:operator:/root:/bin/bash

man:x:13:15:man:/usr/share/man:/bin/false

postmaster:x:14:12:postmaster:/var/spool/mail:/bin/false

smmsp:x:209:209:smmsp:/var/spool/mqueue:/bin/false

portage:x:250:250:portage:/var/tmp/portage:/bin/false

nobody:x:65534:65534:nobody:/:/bin/false

sshd:x:22:22:added by portage for openssh:/var/empty:/usr/sbin/nologin

cron:x:16:16:added by portage for cronbase:/var/spool/cron:/usr/sbin/nologin

sim:x:1000:1000::/home/sim:/bin/bash

messagebus:x:101:1001:added by portage for dbus:/dev/null:/usr/sbin/nologin

haldaemon:x:102:1002:added by portage for hal:/dev/null:/usr/sbin/nologin

```

"operator:x:11:0:operator:/root:/bin/bash" what is that???

w

```
22:28:45 up  8:56,  1 user,  load average: 0.03, 0.07, 0.05

USER     TTY        LOGIN@   IDLE   JCPU   PCPU WHAT

sim      :0        13:32   ?xdm?   3:41   0.00s /bin/sh /usr/kde/3.5/bin/startkde

```

he can write every where, like in the first post the 3 ttt is his. (firefox, kwrite, xterm,.....)

----------

## NeddySeagoon

Snappi

```
operator:x:11:0:operator:/root:/bin/bash
```

Operator is an account that can be logged into user name operator but with membershup of the root group.

Its intended to do some of the things that root can but not everything. e.g. run backups.

If it has a password, it will be in /etc/shadow DO NOT post that here, its all your passwd hashes.

Disable the account if you don't use it.

Theres a lot of root logins in last, can you account for them all ?

You should never log in as root, log in as your normal user and use sudo for odd commands as root, or su if you need a longer root session.

----------

## Snappi

only time I use root is with "su -",  I suppose might be some more time, I am not sure if I can confirm these logins.

----------

## NeddySeagoon

Snappi,

Ask the question the other way round ...

Are there root logins on days you know you did not use root ?

I'm beginning to suspect this is a practical joke rather than a hack. Lets recap.

1. It happens in both Linux and Windows.

2. It happens when you are using your PC. Most hackers prefer to keep their existence unknown.

3. There is only sim and root in last

I suspect that someone close to you has been able to guess your passwd(s) because you choose a poor one or you wrote it down.

Change the root and sim passwds to strong passwds (mix of upper and lower case letters, with a few numbers and special symbols).

Do not write them down and don't tell anyone. That prevents users gaining access by 'social engineering'.

----------

## Snappi

no one I know knows my ip, and no one knows the pass. I am sure of that.

----------

## NeddySeagoon

Snappi,

Everyone you connect to on the internet knows your IP. If they didn't, they could send you any replies.

Every Ethernet packet you send contains your IP. It doesn't matter - hackers often don't care about the target and work on guessed IPs.

You already have strong passwords of eight symbols or more?

Passwords based on your sports teams, pets names, keyboard patterns, or relatives names are particularly useless.

----------

## Snappi

yeah I know that, I meant my friends doesn't know my ip.

my root password contains more than 8 symbols. and it's a completly random password, it's not a word.

----------

## NeddySeagoon

Snappi,

Look in /root/.bash_history and /home/<user>/.bash_history.  They contain the last 300 or so commands executed by the user.

Anything odd ?

e.g. commands you never use, truncated files, indicating that someone has been trying to cover their tracks.

----------

## Snappi

nothing there. I think this guy is good at what he do.

----------

## PaulBredbury

 *NeddySeagoon wrote:*   

> It happens in both Linux and Windows.

 

Sounds like both xorg and Windows are running a VNC server.

----------

## Snappi

how can I see if he runs a vnc server?

----------

## PaulBredbury

It's you who would be running the server.

ps ax shows the running processes. Command to try first:

```
ps ax | grep vnc
```

----------

## NeddySeagoon

Snappi,

You would know if you started a vncserver. That your hacker somehow got in, installed, configured and started VNC is unlikely.

He/she still needed to get in in the first place.

----------

## Snappi

I havn't installed vnc. and all my process seems fine. I meant how can I see if he runs some application that doesn't show up on ps??

still doesn't got a clue on how he got in

----------

## nielchiano

 *Snappi wrote:*   

> I meant how can I see if he runs some application that doesn't show up on ps??

 you can't. If he gained root privileges he can have installed a rootkit hiding itself. From that point on, you can't trust your kernel anymore to give you correct information. So you can't trust ps to give correct information.

You could try the following (if you have the needed hardware): put your (hacked) computer in a hub, put the internet connection in that hub also.

Now put a 2nd computer in that same hub and sniff the traffic for unusual things. You won't know how he GOT in, but you'll know how he RE-enters.

PS: I said HUB, NOT switch.

----------

## madisonicus

Honestly there's not much you can do from a potentially compromised system to figure out what's wrong.  This is a fairly decent guide from the gentoo-wiki based off of CERT docs: http://gentoo-wiki.com/SECURITY_Intruder_Detection_Checklist .

However, as has been said, any cracker worth a darn will have eliminated any log traces, installed adulterated versions of some key commands, and hidden some goodies for later use on your system.  If you have intrusion detection software like aide, I hope you have a safe/secure copy of the database, otherwise there's no way to know with certainty exactly what's been hacked.

First thing I'd do is pull the comp off the internet.  (Do the messages keep coming when it's off the net?)  If you have a wireless modem, turn off the wireless.  I'd also use nmap or nessus from another comp to figure out what ports it has open.  A sniffer would be essential to figure out what data it's sending out (it has to be two way since you specified that this 'hacker' can see what you're writing and respond).

Then I'd try running some virus/rootkit-checking software from read-only, pure media (i.e., previously burnt cdrom of Helix or INSERT would be my choice).

At the end of the day, in order to be sure you have a safe setup, you'll want to backup whatever data you absolutely need, format your partition, and start all over.

The important question is what are you doing to leave yourself open to an attack.  Do you have strong passwords?  Have you followed the Gentoo Security Handbook?  Do you have unnecessary services enabled?  Are you fully patched?  Is your system behind a NAT/SPI firewall?  Who has physical access to your comp when you're not around?  Have you set up logcheck/logwatch to email you parses of your syslogs?  Do you have a properly configured IDS?

If you want to actually discover who is doing it, then you have a very long, technical road ahead of you.  If you want to keep them out, then it's best to start over and do it better next time.

GL,

m

----------

## 96140

 *madisonicus wrote:*   

> If you have a wireless modem, turn off the wireless.

 

I second all that, but I especially second this. If you're running a wireless network, you need to get it secured fast. Start by taking it down entirely until you can get other things a little more straightened out. Note that you can't really consider a wireless network as secure as a wired network, since even WPA/WPA2 can be cracked with a little patience.

----------

## nielchiano

 *nightmorph wrote:*   

> Note that you can't really consider a wireless network as secure as a wired network, since even WPA/WPA2 can be cracked with a little patience.

 

True, but WPA/WPA2 is usualy good enough. The only attack I know of is a bruteforce. If you choose a password that is good, it'll take insanely long to crack that.

But it will never be the same as wired

----------

## Snappi

```
You could try the following (if you have the needed hardware): put your (hacked) computer in a hub, put the internet connection in that hub also.

Now put a 2nd computer in that same hub and sniff the traffic for unusual things. You won't know how he GOT in, but you'll know how he RE-enters. 
```

thx for the tip but I dont have the hardware

the messages doesn't keep coming when it's off the net and I have no wireless. My password is strong enough. I am behind a router and I have firewall set up on the compute. it's only me who has access to the compute. I don't know about the ISD thing.

the thing is I think he randomly picked me when I hade windows running and when he noticed I've switch to gentoo he hacked that just to prove himself. thing is first time it happend I wiped everything out and changed all the passwords, but he keeps getting in, this is starting to make me frustrated.

----------

## eltech

How can you completely format and he ironically gets back into the system?

any friends use your computer when they come to your house?

have any friends that are pretty good computer users?

are you on a static or dynamic ip?

try a site like shields up to see what ports are open https://www.grc.com/x/ne.dll?bh0bkyd2

if your behind a router are all ports closed and not forwarded?

----------

## bunder

i would like to see a screenshot of this guy doing this thing with your pc.

----------

## Gergan Penkov

hm, this netstat's output is very strange:

 *Quote:*   

> tcp        0      0 ::ffff:127.0.0.1:6880   :::*                    LISTEN      8376/java
> 
> tcp        0      0 ::ffff:127.0.0.1:45100  :::*                    LISTEN      8376/java
> 
> tcp        0      0 :::54070                :::*                    LISTEN      8376/java
> ...

 

there is nothing java related in your ps-output though. Do you have lsof for example...

----------

## nielchiano

 *Gergan Penkov wrote:*   

> Do you have lsof for example...

 

If you don't: DO NOT Compile it on the hacked PC, but compile it somewhere else.

Even if you do, it might be safer to re-compile it on a "safe" machine and copy the binaries.

----------

## dspgen

Is there a live-cd he could boot, then run his installed system within qemu? To give him a clean firewall without needing an addition computer?  Maybe that way he could see how the hacker is sending him messages.

----------

## batistuta

I would like screenshots or some convincing response that makes sense. I mean, if someone is hacking so badly such a soooo strongly secured system, then this guys really really hates you. He could pick something easier to hack, so if he's is really doing this, he must have really big personal problems with you. So besides a reinstall, I would think about that.

Sorry, but this whole thing somehow looks very "funny" to me and I'm sure it's not just to me.

----------

## Akkara

A quick idea to try: boot from a livecd and run tcpdump -v to see what connection attempts are coming in.

----------

## nielchiano

 *batistuta wrote:*   

> I would like screenshots or some convincing response that makes sense. I mean, if someone is hacking so badly such a soooo strongly secured system, then this guys really really hates you. He could pick something easier to hack, so if he's is really doing this, he must have really big personal problems with you. So besides a reinstall, I would think about that.
> 
> Sorry, but this whole thing somehow looks very "funny" to me and I'm sure it's not just to me.

 

I kinda have to agree... Usualy the hacker doesn't want a nice chat with his victim... the only thing he usualy wants is an FTP/SMTP/... server running

----------

## batistuta

There is also no mentioning to network setup. Are you behind a router, switch, nothing? dynamic IP? Static IP? If you buy a good 100$ router with a good firewall and block all ports, and the guy still gets in, then you are basically out of luck. Switch ISP to get another IP address and hope this guy never finds you again.

----------

## elzorro

I don't suppose you have a radio wireless keyboard by any chance? Perhaps you have a neighbour on the same frequency

----------

## batistuta

I'm curious... how does the guy chat with you under windows? Does he run cygwin terminals?   :Laughing: 

Sorry to make fun of something that might be bothering you.

So I will just provide the ultimate solution to this problem (credit to merging some ideas from other people in this thread):

Get a good router. Shut down wireless. Get a wired keyboard. Change your IP address from your provider. After you get your new IP address, don't reboot into your Gentoo (or you will reveal it). Boot directly with the liveCD and reinstall. Then keep going with life.

----------

## elzorro

 *batistuta wrote:*   

> I'm curious... how does the guy chat with you under windows? Does he run cygwin terminals?  
> 
> Sorry to make fun of something that might be bothering you.

 

That's what makes me think the problem might be something more mundane, presumably if he does own a wireless keyboard then he would have used the same one under windows AND linux. Someone living close could hijack his frequency, and not only see what he types, but also type responses back (regardless of OS).

Just a thought.

----------

## batistuta

I think it is quite easy to recognize if someone is taping your keyboard. Unless the guy can see your screen (which he can't if he's only tapping a keyboard) you can tell if there are random keystrokes while surfing, etc. I mean, it's not like you  scream through the window or elevator shaft: "Now dude, I've opened up a terminal, start typing please!"   :Rolling Eyes: 

----------

## Snappi

I don't think it has something to do with my keyboard. but one funny thing is that ones I did 

```
/etc/init.d/net.eth0 stop
```

and some seconds later he wrote while the eth0 was down, but he typed something like "don't make me pissed loser it's easy to etnbr ap"

don't know what he meant by that though

I have a idea how I can find next time he is in but I won't reveal it here in case he is looking.

 *Quote:*   

> tcp 0 0 ::ffff:127.0.0.1:6880 :::* LISTEN 8376/java
> 
> tcp 0 0 ::ffff:127.0.0.1:45100 :::* LISTEN 8376/java
> 
> tcp 0 0 :::54070 :::* LISTEN 8376/java
> ...

 

I think this is from azueres (bittorrent)

screenshot would be like any screenshot on a desktop, you can't see who wrotes what. and trust me I am not fucking with you guys and thx for all help so far. and no one but me have used this computer. I am on a static ip

----------

## eltech

 *Snappi wrote:*   

> I don't think it has something to do with my keyboard. but one funny thing is that ones I did 
> 
> ```
> /etc/init.d/net.eth0 stop
> ```
> ...

 youre on static ip and you format and he gets back in? hes the worlds best hacker or you dont set a root password and just open up ssh or something..

----------

## Snappi

ssh is off. I don't have any services running that allows remote control. the root password is good and it's not a word it's just a random mix.

----------

## JoeUser

 *Quote:*   

> "don't make me pissed loser it's easy to etnbr ap" 

 

Assuming "etnbr" is a typo for "enter" and not some weird unreadable l33t speak garbage and "ap" is abbreviation for wireless ap (access point) then it sounds to me like he's a neighbor who cracked your wireless.  When I bought my new laptop it came preinstalled with Windoze and the first boot before I had a chance to configure the wireless it just connected to the first open ap it found without even asking me if I wanted to connect to it.  What it connected to was my neighbor's wireless down the hall.  After formatting and getting Gentoo installed and wireless tools I did a scan.  There's 18 wireless ap's in my neighborhood.  A third of them are wide open.  That's when I realized how many people around me weren't just open to attacks but also were equipped to be potential attackers.  Maybe i'm just paranoid.

Perhaps a neighbor of yours has gained access to your lan via your wireless ap?  It's not rocket science cracking those.  Everything you need is in portage.  You can get a list of them from the tool list page of the Gentoo based Pentoo LiveCD and see just how many tools are available to make it ridiculously easy.  

If I were you I'd reinstall clean just to be safe.  you never know what he may have installed. use a wired connection and with the wireless completely disabled (if you have wireless).  Set some paranoia logging rules in IPTables for a while.  Log and deny everything then daily look through the logs for the hack attempts and see if he's trying to get access again through the internet.  Don't use the same passwords when you reinstall because he's probably cracked those already if he had access to your system and those will be the first passwords he tries.

If the logs show suspicious traffic they'll show the IP and the time which can be used to determine their ISP.  You can file a complaint with them who will use the IP and time to match to an account so they know who's account to suspend.  If nothing shows up in the logs that would indicate an attack then re-enable your wireless (if you have it) after first changing you aps password and your wireless security keys.  If he had access before then he's probably also logged in to your wireless ap which is usually a web interface.  While in there enable Mac filtering and make sure he didn't add his Mac to the Mac table then add your own Mac to it so you can connect.  This way even if he cracks the new wireless keys the Mac filter wont let him connect.

There are so many things to check.  So many possibilities.  That should be a good start though.

edit: i forgot Mac's can be changed with ifconfig and your wireless mac can be found out by anyone running airdump so in theory he could change his mac to match your mac and get by your ap's mac filter so you should probably change your mac and your wireless ap's name so he doesn't recognize it in a scan.  better yet, don't use wireless, it's too much trouble  :Smile: Last edited by JoeUser on Tue Nov 21, 2006 1:41 am; edited 1 time in total

----------

## Gergan Penkov

well from here on, the best thing is to tar.gz your whole system, reformat your partitions, install anew and set up a hot spot in a vmware from your old system  :Smile: 

But the whole thing is rather strange - how could he resurrect a dead network - it is rather impossible, unless he has changed the init-scripts?

----------

## Snappi

I have one thing left to try wich I can't reveal yet, because than he can see it coming. matrix?  :Very Happy: 

one more funny thing is that there are much more easier targets in my network than this computer.

----------

## batistuta

are you behind a router? If yes, explain how. If not, get one, borrow one, steal one (just kidding), do whatever you need to do to get one and firewall yourself from the WAN. See if he estill gets in. 

Don't get a router based on Linux. If the guys is sooo good, he'll hack it. Get something based on VxWorks or something that the guy would probably not know or would take him time to hack. I think the latest Linksys WRT-54G and the Airport express are based on VXWorks. You can also upgrade them (at least the Linksys) to Linux later

----------

## madisonicus

 *Snappi wrote:*   

> 
> 
> ```
> You could try the following (if you have the needed hardware): put your (hacked) computer in a hub, put the internet connection in that hub also.
> 
> ...

 

So, without wireless, without ssh (or telnet, etc... I hope), without physical access to your computer, behind a NAT(?) firewall, protected by strong passwords, someone manages to hack a fresh install of Gentoo and Windows?  You're either not giving us the whole story (what are you bittorrenting?), or this person is using mental teletypery to get into your machine.

Pull the comp off the net.  Get a new keyboard.  Check your PS/2 port for a keylogger.  Change your root and user passwords. Run rkhunter and chkrootkit from safe read-only copies (see Helix and INSERT above).  Then and only then plug it back into the net.  If he's still writing spooky messages, then you need a priest, not a security expert.

Hope your idea works, cuz I'm fresh out.

-m

----------

## batistuta

 *madisonicus wrote:*   

> If he's still writing spooky messages, then you need a priest, not a security expert.

 

that made my day   :Laughing: 

----------

## Phinn_Fort

Not that I don't believe you, but could you ask your "hacker" to pose for a shot, and press printscreen?

Also, you said you had a router, didn't you? Please check it for what ports it is forwarding to your computer, and close them. Also, what times of day are he on your computer?

-PhinnFort

----------

## Snappi

first thx for all the help, much appreciated. I know everybody gonna laugh, the funny thing is I called my neighbor and ask him if he experienced something like this. Guess what? yes he did he had seen the same thing on his screen, apparently we have the same keyboard. this keyboard are going in the trash.

----------

## batistuta

 *Snappi wrote:*   

> first thx for all the help, much appreciated. I know everybody gonna laugh, the funny thing is I called my neighbor and ask him if he experienced something like this. Guess what? yes he did he had seen the same thing on his screen, apparently we have the same keyboard. this keyboard are going in the trash.

 

Are you treating us for idiots?

----------

## Snappi

 *Quote:*   

> Are you treating us for idiots?

 

No absolutely not, I see you ppl as the guys who know what they talk about. I don't understand why you think that? I wouldn't have found the problem if I hadn't reed all the replies and I am sorry if I have offended anyone.

----------

## selig

Man, this thread was awesome. I am glad I read it, because it combined good security tips with good funny fill-ins.   :Wink:  And come on, if the neighbor was so helpful in solving the mystery, then why did he supposedly type things like that to you? ROFL

----------

## batistuta

Sorry if I over-reacted. It's just that lots of things make just no sense whatsoever to me. I don't call my neighbour, I visit him/her. I don't get how you could get a keyboard without encryption (I would expect that from my grandma but not from a Gentoo user). I can't believe your neighbour has the same keyboard, and that the EM waves make it through the walls. I can't believe that there is then also a third person with the same keyboard messing up with both of you (and that the signal makes it there). I discard your neighbour being the bad guy threatening you, and it didn't sound like it. I can't understand that you didn't experience random keys, because the guy wouldn't know when you have focus on a terminal window. And then it would be obvious that someone is tapping onto your keyboard. you also mentioned that this didn't happen when unplugged from the net, and that the guy could sense when eth0 was stopped. I don't understand why you didn't answer important questions that people asked many times, like if you are behing NAT. I can't understand how you could say you'll trash your keyboard without mentioning which keyboard is so that others don't have the same problem, or at least ask if anyone with it has experienced problems, or how to secure the channel. You still didn't mention what your next thing to try would have been, in order to enhance the knowledge of others. Basically, almost nothing makes sense here.

But I am aware that just because I don't understand something, this doesn't mean that I'm right. So put it this way: if your problem was genuine, please accept my deepest apologies for over-reacting. I've had a long day at work myself. Hope you get things working now.

In any case, this thread is full of useful information that will benefit lots of other users.

----------

## elzorro

 *Snappi wrote:*   

> first thx for all the help, much appreciated. I know everybody gonna laugh, the funny thing is I called my neighbor and ask him if he experienced something like this. Guess what? yes he did he had seen the same thing on his screen, apparently we have the same keyboard. this keyboard are going in the trash.

 

Weyhey! Do I win a prize?  :Smile: 

 *batistuta wrote:*   

> I don't get how you could get a keyboard without encryption (I would expect that from my grandma but not from a Gentoo user). 

 

batistuta:  I understand your reaction, but being a gentoo user doesn't necessarily mean you are a tech head that understands the finer points of security (at least not since liveCDs became prolific) - a keyboard is mundane enough to be overlooked, and the slightly older wireless models weren't shortranged bluetooth devices but were often radio based (i had a 3 year old cherry keyboard that works at the bottom of my garden (60 feet or so) and has a few dipswitches to choose the frequency).

Still... it could just be a big hoax  :Smile: 

----------

## der bastler

 *Snappi wrote:*   

> and some seconds later he wrote while the eth0 was down, but he typed something like "don't make me pissed loser it's easy to etnbr ap"

 

 *Snappi wrote:*   

> first thx for all the help, much appreciated. I know everybody gonna laugh, the funny thing is I called my neighbor and ask him if he experienced something like this. Guess what? yes he did he had seen the same thing on his screen, apparently we have the same keyboard. this keyboard are going in the trash.

 

I don't get it. First the [fingerquotes]hacker[/fingerquotes] notices a downed eth0 and reacts. And in the end it is only your neighbour having the same keyboard? Or do we have to assume that overall three keyboards on one frequency were involved and the [fingerquotes]hacker[/fingerquotes] is still around?

----------

## pteppic

 *der bastler wrote:*   

> Or do we have to assume that overall three keyboards on one frequency were involved and the [fingerquotes]hacker[/fingerquotes] is still around?

 

Well, if that is the case, wire the keyboard up to a power supply (so the batteries don't run out) duct tape down the ctrl-alt-del keys, and stick it in the loft, paybacks a bitch.

----------

## elzorro

 *Quote:*   

> Well, if that is the case, wire the keyboard up to a power supply (so the batteries don't run out) duct tape down the ctrl-alt-del keys, and stick it in the loft, paybacks a bitch.

 

 :Laughing:  Dust off that HAM radio set and patch it in for improved range  :Smile: 

----------

## der bastler

 *pteppic wrote:*   

> Well, if that is the case, wire the keyboard up to a power supply (so the batteries don't run out) duct tape down the ctrl-alt-del keys, and stick it in the loft, paybacks a bitch.

 

Hmm... Tool Time... increase output power... fun in the neighbourhood?   :Twisted Evil: 

----------

## Ateo

A keyboard was the cause of all this? LMFAO!

----------

## psic

Snappi, could you just post the make and model of the keyboard?

I'm just kind of interested after having read through this thread, I've seen similar things happen with bluetooth (I think) keyboard and mice, but the range was a few meters.

----------

## rokstar83

I'm glad you found a solution, I read the whole thread a few minutes ago and until I saw that the solution was found I was seriously wondering if this was the first wild successful blue pill attack somehow as all the symptoms seem to point that way.

----------

## dev-urandom

I too don't see a logic in what happened, the way it stands its more of a practical joke.

@Snappi: There are way too many holes in this whole discussion that you need to fill in. The keyboard name and model, its range and other specifics are the bare minimum that you could post here. Also, how did you come to the conclusion all of a sudden that the problem is you and your neighbor having the same keyboard model? Have you actually tried to test the keyboard and see whether the signal overlaps?

----------

## Snappi

fujitsu siemens KB slim RF S/FIN is the model.

I came to the conclusion because some ppl pointed out that it could be the keyboard and that he was still typing while I did a net.eth0 stop, I think he wrote the way he did because he didn't understand the command. ??? and one other think I had to geuss some words because all letters didn't get trough, sould have mentioned that in the beggining also.

----------

## dev-urandom

 *Snappi wrote:*   

> fujitsu siemens KB slim RF S/FIN is the model.
> 
> I came to the conclusion because some ppl pointed out that it could be the keyboard and that he was still typing while I did a net.eth0 stop, I think he wrote the way he did because he didn't understand the command. ??? and one other think I had to geuss some words because all letters didn't get trough, sould have mentioned that in the beggining also.

 

Please confirm that this is indeed the case. Go to your neighbor's place with your keyboard, and type something and see whether it appears in his monitor. Afterwards, go to your place, type something and ask your neighbor whether he saw it too. I doubt whether this is your keyboard, since you said at one point that the hacker stopped sending messages when you shut down your network. 

Also, net.eth0 does not have any significance outside of gentoo - not in ubuntu, fedora, SuSE, windows, mac etc.. Does he run gentoo? Did you actually stop his network when you typed in that? I feel that the keyboard issue may be masking an actual intruder in your system.

P.S. If it turns out that the keyboard wasn't the issue, please take a moment to read the other questions posted and asnwer them - especially the firewall, NAT and network topology ones. If it actually was the keyboard -  well, elzorro is looking out for you  :Smile: 

----------

## Dan

I just want the damn keyboard...

Ive got 3 different ones that I try to use in the great room on the big screen and cant get them to work reliably at over 20-30ft... without walls.. How close is your neighbor?

----------

## Snappi

 *Quote:*   

> stopped sending messages when you shut down your network

 

I said that when I did a /etc/init.d/net.eth0 stop in my network I shutdown my own network, not his. since he could still write I assumed he started my network somehow. I have confirmed this whit my neighbor. because he got everything I typed. he runs windows.

----------

## dev-urandom

 *Snappi wrote:*   

>  *Quote:*   stopped sending messages when you shut down your network 
> 
> I said that when I did a /etc/init.d/net.eth0 stop in my network I shutdown my own network, not his. since he could still write I assumed he started my network somehow. I have confirmed this whit my neighbor. because he got everything I typed. he runs windows.

 

Cool, no offense intended, but this is too unbelievable to be true. Anyway, I take your word for it, and I'll stay clear of that keyboard ... I don't want my neighbor sending me crap  :Smile: 

----------

## albright

this has *got* to be the weirdest and maybe most amusing

thread I've ever followed and what a plot: from sinister hacking,

to suspicions about the poster, to comical denouement ... can't

be beat

----------

## elzorro

who needs jabber when we can all share keypresses

----------

## GNUtoo

 *batistuta wrote:*   

> Sorry if I over-reacted. It's just that lots of things make just no sense whatsoever to me. I don't call my neighbour, I visit him/her. I don't get how you could get a keyboard without encryption (I would expect that from my grandma but not from a Gentoo user). I can't believe your neighbour has the same keyboard, and that the EM waves make it through the walls. I can't believe that there is then also a third person with the same keyboard messing up with both of you (and that the signal makes it there). I discard your neighbour being the bad guy threatening you, and it didn't sound like it. I can't understand that you didn't experience random keys, because the guy wouldn't know when you have focus on a terminal window. And then it would be obvious that someone is tapping onto your keyboard. you also mentioned that this didn't happen when unplugged from the net, and that the guy could sense when eth0 was stopped. I don't understand why you didn't answer important questions that people asked many times, like if you are behing NAT. I can't understand how you could say you'll trash your keyboard without mentioning which keyboard is so that others don't have the same problem, or at least ask if anyone with it has experienced problems, or how to secure the channel. You still didn't mention what your next thing to try would have been, in order to enhance the knowledge of others. Basically, almost nothing makes sense here.
> 
> But I am aware that just because I don't understand something, this doesn't mean that I'm right. So put it this way: if your problem was genuine, please accept my deepest apologies for over-reacting. I've had a long day at work myself. Hope you get things working now.
> 
> In any case, this thread is full of useful information that will benefit lots of other users.

 

do you know tempest?

you can capture the radio waves of the monitor of the PC

----------

## batistuta

 *GNUtoo wrote:*   

> do you know tempest?
> 
> you can capture the radio waves of the monitor of the PC

 

Finally something that makes sense   :Very Happy: 

----------

## pteppic

 *GNUtoo wrote:*   

> you can capture the radio waves of the monitor of the PC

 

Too true, I sell tinfoil monitor cozys with earth straps knitted from steel wool from my cafepress page.

I'm thinking of branching into keyboard covers and mouse mats now too!

----------

## Fruitwoot

Well, that is true and this is one thing about "spying" 101 probably  :Razz: 

I also heard about a lot of others electrical things that combined together may emitted waves that can be decrypted.

This story is incredible ... logical but incredible by itself by the way it happens and been discovered ...

I know some guy who may offer this keyboard to some girls  :Razz: 

----------

## jeanfrancis

 *Fruitwoot wrote:*   

> I know some guy who may offer this keyboard to some girls 

 

LOL  :Laughing: 

Easy spy  :Wink: 

----------

## tence_g

Well...I guess it's a good time to change your RF chan... lol

funny thread though

----------

## yeti

Is it time to rename this thread to "keep getting hacked [solved]"?

That will add suspense for anyone new reading along...

----------

## DocReedSolomon

great thread, someone should make this sticky   :Laughing: 

btw: i dont care if this is serious or not, never had so much fun recently   :Laughing:   :Laughing: 

----------

## rek2

I should say "cracked" your system. 

he cracked you system with a hack..

HE just following the fun.. o_0

----------

## Corona688

To those who thought the neighbor wouldn't have been saying odd things:  Consider he probably thought HIS computer was being hacked.  That would be a very strange conversation!

Some wireless keyboards can achieve a suprisingly long range!  Between rooms, hell -- there've been reports of interference between adjacent floors.  They go a lot farther than I've ever seen a wireless mouse go...  It's a much lower bandwidth thing, I guess they use a simpler signal that takes more distance to garble.

----------

## DocReedSolomon

 *Corona688 wrote:*   

> To those who thought the neighbor wouldn't have been saying odd things:  Consider he probably thought HIS computer was being hacked. 

 

but thats what he actually *did* think about!

i guess none of you read all of those 4 pages. and no, there have not been 3 guys with the same keyboard, just 2 of them.

----------

## Corona688

 *DocReedSolomon wrote:*   

> but thats what he actually *did* think about!
> 
> i guess none of you read all of those 4 pages. and no, there have not been 3 guys with the same keyboard, just 2 of them.

  Thank you, captain obvious.  I know that.  Obviously, not everyone on this thread does.

----------

## Ast0r

 *pteppic wrote:*   

>  *der bastler wrote:*   Or do we have to assume that overall three keyboards on one frequency were involved and the [fingerquotes]hacker[/fingerquotes] is still around? 
> 
> Well, if that is the case, wire the keyboard up to a power supply (so the batteries don't run out) duct tape down the ctrl-alt-del keys, and stick it in the loft, paybacks a bitch.

 

Hahahahaha. That is, hands down, the funniest thing I have ever read on the Gentoo forums.

----------

## DocReedSolomon

 *Ast0r wrote:*   

> 
> 
> Hahahahaha. That is, hands down, the funniest thing I have ever read on the Gentoo forums.

 

check that out (emerge --info) even more funny to me  :Wink: 

https://forums.gentoo.org/viewtopic-t-521471-highlight-.html?sid=5af6443a7e314b2a79351bf4196eed74

----------

## Havin_it

 *yeti wrote:*   

> Is it time to rename this thread to "keep getting hacked [solved]"?
> 
> That will add suspense for anyone new reading along...

 

Worked for me... I have not been so GLUED to a thread since my run-in with that giant spider...   :Shocked: 

Still don't know whether to believe this, but hey I WANT to.  In fact I want some of these keyboards to make 'presents' to my own neighbours!   :Twisted Evil: 

I think this should go in the GWN next week.  Who do we see about that?

----------

## DocReedSolomon

 *Havin_it wrote:*   

> I want some of these keyboards to make 'presents' to my own neighbours!  
> 
> 

 

same here   :Razz: 

----------

## saffsd

Definitely the most entertaining read I've had on this forum in awhile! I'm not convinced it's true it's certainly a hilarious premise. I wonder how long it will be before something like this makes it into a mainstream sitcom?

----------

## svenk

I think it's the question what exactly he's able to do: Perhaps the complete (linux) system has already been "anulled" by a kernel rootkit - then you aren't able to do anything any more if you're not an expert.

I think at first there is only one question:

How does the "hacker" communicate, which means which possibilities does he have? (for example: user account -> wall messages?; free X11 access -> all X possibilities?; X Root account -> everything?)

You haven't described that process at all. For example:

 He's sending you wall messages: They appear in all terminals and are probably displayed by your Desktop Enviroment (KDE does that) and surely even logged by your logger. To send these messages, he needs access to a local user account, even things like "guest" or "nobody". In general, you should be able to read who's send the message.

 He's controlling your session via VNC: This may be the most confusing thing, because he can control your graphical session, send keys and mouse events and see the contents of your screen. Perhaps you're running an open VNC server who's not protected by a password

 He's even controlling your whole X session: Perhaps you have disabled X server access control and any client may connect to your server. A Xclient can do everything, even recieve all keyboard inputs, ... - see especially "xhost" and "man xhost"

 He's written a program which opens a backdoor ("trojan"), so he can connect via that service. Perhaps he's installed that program when you have not been at your computer (that would assume that he's a family member, a near friend, a neighbour, etc.)

That are only very simple examples. But it's really strange that he's (obviously) "cracked" your computer three times after you've reinstalled everything. Maybe you should improve your security strategy  :Wink: 

Sven

EDIT: LOL - I've not seen that there are already four pages of discussion and the thread is already marked as "solved" - sorry for my stupid help  :Wink: 

----------

## psic

 *GNUtoo wrote:*   

> 
> 
> do you know tempest?
> 
> you can capture the radio waves of the monitor of the PC

 

Have you read the book 'Cryptonomicon' by Neil Stephenson? In it he describes Van Eck phreaking, which actually exists, according to wikipedia. Interesting stuff.

----------

## TheJoker89

 *Havin_it wrote:*   

> I want some of these keyboards to make 'presents' to my own neighbours!  
> 
> 

 

same here, anyonne knows the game "bad neighbours" or Something? (sry is for winshit i know XD)

----------

## Darknight

In all honesty I have elected this thread to be "thread of the decade" for me. I won't say anything more  :Laughing: 

----------

## orange_juice

 *Darknight wrote:*   

> In all honesty I have elected this thread to be "thread of the decade" for me. I won't say anything more 

 

I think that the emotions variety, misses a clapping face. I have seen one in yahoo messenger, I think. 

I am really desperate for a couple of such emotions to send for this thread. 

Unbelievable! It is the first time after 2 years with Gentoo that I read a whole thread without missing even a word and the first time in my life that I almost broke my chair out of laughing!!! 

Thank you Gentoo for being so live in all aspects!

Kind regards,

orange_juice

----------

## Ezhdeha

Maybe we should start a show   :Very Happy: 

----------

## magnesium

Posting in an epic thread!

To be honest, it took me about 3 posts after the neighbor comment to make the link. I blame a long day of work. This is the very definition of sitcom; Situational Comedy. I just feel sorry for the time down re-installing.

----------

## deface

and i think you should read some guides on security. is this guy for real? and a moderator wants to keep it going?

Snappi - read your manuals, dont get on the internet if you dont know what your doing when your on it

----------

## magnesium

Deface missed the punchline...

----------

## anggarda

there was a discussion on this once on slashdot a few years back. Some chap had his logitech keyboard messing up keystrokes with his dorm mates. 

I've tried searching for it, but nothing came up. It seemed to be a common problem with certain logitech wireless keyboards back then.

----------

## Suicidal

 *pteppic wrote:*   

>  *der bastler wrote:*   Or do we have to assume that overall three keyboards on one frequency were involved and the [fingerquotes]hacker[/fingerquotes] is still around? 
> 
> Well, if that is the case, wire the keyboard up to a power supply (so the batteries don't run out) duct tape down the ctrl-alt-del keys, and stick it in the loft, paybacks a bitch.

 

ROFL, I nominate that comment for:

```
games-misc/fortune-mod-gentoo-forums
```

----------

## Bearbonez

You've got the tun driver running 

Nov 18 13:32:11 localhost eth0: forcedeth.c: subsystem: 01462:7125 bound to 0000:00:0a.0

Nov 18 13:32:11 localhost tun: Universal TUN/TAP device driver, 1.6

Nov 18 13:32:11 localhost tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>

google "hamachi" its used for gaming

----------

## Gloom_Scythe

I had something similar happen on an older setup... have you considered some type of firmware rootkit or mbr rootkit? Lots of ppl dont believe in them but i have seen them. Plus routers can be re-flashed maliciously as well. Look for misspellings in bios (thats one of the ways i discovered my issue). Question: have you ever downloaded torrents and have you ever dual booted. Try running gentoo using reiserfs or reiser 4 and change the whole layout software wise of the system. A new router is a must without wireless. Just some tib bits. To identify bad firmware i would use common sense and a write protected hex editor.  You could pull the storage device out, link it to a clean system not of the same arch and run photorec to look for hidden logs that were deleted by the intruder. Play his social engineering game... use tools like grub to find hidden partitions (thats how i found a hidden tdlr partion on a friens hdd. Tdsskiler is a joke lol)

----------

## Ant P.

 *Gloom_Scythe wrote:*   

> I had something similar happen on an older setup... have you considered some type of firmware rootkit or mbr rootkit?

 

The problem was answered... nine years ago. Did you read the thread?

----------

## Zucca

There's a necromancer among us.

----------

