Bogons file from july 1-st contained google netblock



  • last time this was updated, 30-36 days ago, it used to contain such netblocks:

    0.0.0.0/8
    10.0.0.0/8
    127.0.0.0/8
    169.254.0.0/16
    172.16.0.0/12
    192.0.0.0/24
    192.0.2.0/24
    192.168.0.0/16
    198.18.0.0/15
    198.51.100.0/24
    203.0.113.0/24
    224.0.0.0/4
    240.0.0.0/4

    file updated from crontab @ july 1:

    -rw-r–r--  1 root  wheel  146 Jul  1 05:08 /etc/bogons

    0.0.0.0/8
    127.0.0.0/8
    169.254.0.0/16
    192.0.0.0/24
    192.0.2.0/24
    66.249.0.0/16 <<<<<<<< google has spiders @ 66.249.64.0/19
    198.18.0.0/15
    198.51.100.0/24
    203.0.113.0/24
    224.0.0.0/4
    240.0.0.0/4

    and todays manual update produced again ok bogons file:

    -rw-r--r--  1 root  wheel  132 Jul 20 20:13 /etc/bogons

    0.0.0.0/8
    127.0.0.0/8
    169.254.0.0/16
    192.0.0.0/24
    192.0.2.0/24
    198.18.0.0/15
    198.51.100.0/24
    203.0.113.0/24
    224.0.0.0/4
    240.0.0.0/4

    does anyone have versions/backups of what has been served at http://files.pfsense.org/bogon-bn-nonagg.txt ?
    did this data came originally from iana?
    this fluke blocked effectively (and quietly, one might add) google from spidering our websites for 20 days and all of them lost their nice pagerank and moved wayyy deep in google search too :)

    rgds,
    e



  • It's pulled automatically from Cymru's bogon listing here. http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt  Their change log shows no updates since February, and checking 10 boxes that last updated the same as everyone's on July 1, none of them have that in there. No record of that ever being on the server. No idea how you could have gotten that there short of leaving your firewall open with a weak password and someone screwing with you.



  • indeed… 4 other pfsense machines had bogons file from same day and no such network in it.
    no permanent long-lasting log to look for about webif/ssh accesses, just circular logs?



  • yeah not unless you're syslogging.



  • did not, fixed that now. changed passwords too everywhere, just in case. thanks man

    PS. if someone else looks for webif access logs combined with remote syslog (perhaps that guy: http://forum.pfsense.org/index.php/topic,22171.msg113966.html)

    /var/etc/lighty-webConfigurator.conf:
    server.errorlog-use-syslog  = "enable"
    accesslog.use-syslog        = "enable"
    …restart lighttpd
    plus log settings > remote logging etc



  • that's weird… good remedial actions, you may want to backup your config, check it for sanity, and wipe out and reinstall it if you don't really trust it and restore the validated config.



  • 37 days old install. but nevertheless, old config along with old password was indeed restored when this fw replaced old one. will go over the conf with finetooth comb.


Log in to reply