Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd DHCP system log entries.

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rosco111
      last edited by

      I recently went over some system logs and discovered that another comcast customer may be attempting to gain access to my network. I have contacted comcast on the issue but can anyone tell me why my DHCP client would be leaving logs as to how many hosts are listed? Does this mean the DHCP client is responding to the WAN? Is there a security hole? Help!
      FYI: re1 is my WAN, I've replaced my IP with ...* and of course left the other jack's IP visible.
      Here is a small snip from the logs:
      Apr 3 23:23:29 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 23:23:29 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 23:05:35 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 22:21:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 22:21:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 21:11:41 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 20:41:51 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 20:41:51 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 19:37:43 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 19:37:43 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 19:15:24 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 18:37:21 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 18:37:21 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 17:15:24 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 17:15:24 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 16:46:20 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 16:37:21 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 16:09:47 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 3 16:08:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 16:08:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 15:10:19 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 14:12:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 14:12:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 13:13:52 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 12:15:39 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 12:15:39 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 11:17:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 10:19:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 10:19:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 09:12:08 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 3 09:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 07:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 07:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 05:59:58 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 05:59:58 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 01:05:55 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 3 01:05:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 3 01:01:01 php: : phpDynDNS: No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
      Apr 3 01:01:01 php: : DynDns: Current WAN IP: ...* Cached IP: ...*
      Apr 3 01:01:01 php: : DynDns debug information: ...* extracted from local system.
      Apr 3 01:01:01 php: : DynDns: updatedns() starting
      Apr 2 23:05:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 22:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 2 22:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 2 20:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 2 20:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 2 19:55:12 dnsmasq[56241]: read /etc/hosts - 28 addresses
      Apr 2 19:14:50 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 18:57:35 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 18:57:35 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 17:59:57 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 17:16:43 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 17:14:50 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 17:14:50 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 17:02:05 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 16:58:36 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 16:39:58 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 16:22:49 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 16:11:54 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 16:11:54 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 15:24:36 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 14:43:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 14:43:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 13:45:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 12:46:47 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 12:46:47 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 11:48:34 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 11:32:01 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 10:50:16 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 10:50:16 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 09:52:03 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 09:32:01 dnsmasq[56241]: read /etc/hosts - 30 addresses
      Apr 2 09:15:46 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 09:15:46 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 08:36:35 kernel: /: optimization changed from TIME to SPACE
      Apr 2 08:17:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 07:19:18 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 07:19:18 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 07:15:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 06:28:15 dhclient[15152]: bound to ...* – renewal in 153409 seconds.
      Apr 2 06:28:15 dhclient[20682]: bound to ...* – renewal in 153409 seconds.
      Apr 2 06:28:15 dhclient: Creating resolv.conf
      Apr 2 06:28:15 dhclient: Creating resolv.conf
      Apr 2 06:28:15 dhclient: RENEW
      Apr 2 06:28:15 dhclient: RENEW
      Apr 2 06:28:15 dhclient[15152]: DHCPACK from 68.87.66.18
      Apr 2 06:28:15 dhclient[20682]: DHCPACK from 68.87.66.18
      Apr 2 06:28:15 dhclient[15152]: DHCPREQUEST on re1 to 68.87.66.18 port 67
      Apr 2 06:28:15 dhclient[20682]: DHCPREQUEST on re1 to 68.87.66.18 port 67
      Apr 2 06:17:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 06:17:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 05:55:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 04:57:14 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 04:57:14 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 04:53:37 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 03:55:20 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 03:55:20 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 03:35:36 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 02:37:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 02:37:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Apr 2 01:39:05 dnsmasq[56241]: read /etc/hosts - 29 addresses
      Thanks!

      1 Reply Last reply Reply Quote 0
      • W Offline
        wallabybob
        last edited by

        I don't know why you apparently have two dhclients running for re1 (pid 15152 and 20682); one is normally sufficient.

        The IP address reported below is the IP address of the DHCP server that responded to the request:
        @rosco111:

        Apr 2 06:28:15 dhclient: RENEW
        Apr 2 06:28:15 dhclient: RENEW
        Apr 2 06:28:15 dhclient[15152]: DHCPACK from 68.87.66.18
        Apr 2 06:28:15 dhclient[20682]: DHCPACK from 68.87.66.18
        Apr 2 06:28:15 dhclient[15152]: DHCPREQUEST on re1 to 68.87.66.18 port 67
        Apr 2 06:28:15 dhclient[20682]: DHCPREQUEST on re1 to 68.87.66.18 port 67

        1 Reply Last reply Reply Quote 0
        • C Offline
          cmb
          last edited by

          None of that is indicative of someone trying to get into your network. dnsmasq re-reads /etc/hosts whenever a system inside your network gets a DHCP lease or renews one, as it has to do to maintain correct name resolution. Nothing there is unusual aside from having two dhclient PIDs though that can be normal in some unusual circumstances (like two NICs plugged into the cable modem to pull multiple IPs).

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.