Bogons file from july 1-st contained google netblock

erkko · Jul 20, 2011, 6:55 PM

last time this was updated, 30-36 days ago, it used to contain such netblocks:

0.0.0.0/8
10.0.0.0/8
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4

file updated from crontab @ july 1:

-rw-r–r-- 1 root wheel 146 Jul 1 05:08 /etc/bogons

0.0.0.0/8
127.0.0.0/8
169.254.0.0/16
192.0.0.0/24
192.0.2.0/24
66.249.0.0/16 <<<<<<<< google has spiders @ 66.249.64.0/19
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4

and todays manual update produced again ok bogons file:

-rw-r--r-- 1 root wheel 132 Jul 20 20:13 /etc/bogons

0.0.0.0/8
127.0.0.0/8
169.254.0.0/16
192.0.0.0/24
192.0.2.0/24
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4

does anyone have versions/backups of what has been served at http://files.pfsense.org/bogon-bn-nonagg.txt ?
did this data came originally from iana?
this fluke blocked effectively (and quietly, one might add) google from spidering our websites for 20 days and all of them lost their nice pagerank and moved wayyy deep in google search too :)

rgds,
e

cmb · Jul 22, 2011, 8:12 AM

It's pulled automatically from Cymru's bogon listing here. http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt Their change log shows no updates since February, and checking 10 boxes that last updated the same as everyone's on July 1, none of them have that in there. No record of that ever being on the server. No idea how you could have gotten that there short of leaving your firewall open with a weak password and someone screwing with you.

erkko · Jul 22, 2011, 8:47 AM

indeed… 4 other pfsense machines had bogons file from same day and no such network in it.
no permanent long-lasting log to look for about webif/ssh accesses, just circular logs?

cmb · Jul 22, 2011, 9:48 AM

yeah not unless you're syslogging.

erkko · Jul 22, 2011, 11:34 AM

did not, fixed that now. changed passwords too everywhere, just in case. thanks man

PS. if someone else looks for webif access logs combined with remote syslog (perhaps that guy: http://forum.pfsense.org/index.php/topic,22171.msg113966.html)

/var/etc/lighty-webConfigurator.conf:
server.errorlog-use-syslog = "enable"
accesslog.use-syslog = "enable"
…restart lighttpd
plus log settings > remote logging etc

cmb · Jul 22, 2011, 2:22 PM

that's weird… good remedial actions, you may want to backup your config, check it for sanity, and wipe out and reinstall it if you don't really trust it and restore the validated config.

erkko · Jul 22, 2011, 3:00 PM

37 days old install. but nevertheless, old config along with old password was indeed restored when this fw replaced old one. will go over the conf with finetooth comb.