Odd DHCP system log entries.



  • I recently went over some system logs and discovered that another comcast customer may be attempting to gain access to my network. I have contacted comcast on the issue but can anyone tell me why my DHCP client would be leaving logs as to how many hosts are listed? Does this mean the DHCP client is responding to the WAN? Is there a security hole? Help!
    FYI: re1 is my WAN, I've replaced my IP with ...* and of course left the other jack's IP visible.
    Here is a small snip from the logs:
    Apr 3 23:23:29 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 23:23:29 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 23:05:35 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 22:21:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 22:21:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 21:11:41 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 20:41:51 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 20:41:51 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 19:37:43 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 19:37:43 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 19:15:24 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 18:37:21 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 18:37:21 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 17:15:24 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 17:15:24 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 16:46:20 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 16:37:21 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 16:09:47 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 3 16:08:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 16:08:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 15:10:19 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 14:12:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 14:12:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 13:13:52 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 12:15:39 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 12:15:39 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 11:17:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 10:19:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 10:19:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 09:12:08 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 3 09:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 07:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 07:12:08 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 05:59:58 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 05:59:58 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 01:05:55 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 3 01:05:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 3 01:01:01 php: : phpDynDNS: No change in my IP address and/or 25 days has not passed. Not updating dynamic DNS entry.
    Apr 3 01:01:01 php: : DynDns: Current WAN IP: ...* Cached IP: ...*
    Apr 3 01:01:01 php: : DynDns debug information: ...* extracted from local system.
    Apr 3 01:01:01 php: : DynDns: updatedns() starting
    Apr 2 23:05:55 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 22:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 2 22:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 2 20:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 2 20:52:49 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 2 19:55:12 dnsmasq[56241]: read /etc/hosts - 28 addresses
    Apr 2 19:14:50 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 18:57:35 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 18:57:35 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 17:59:57 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 17:16:43 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 17:14:50 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 17:14:50 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 17:02:05 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 16:58:36 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 16:39:58 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 16:22:49 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 16:11:54 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 16:11:54 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 15:24:36 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 14:43:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 14:43:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 13:45:06 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 12:46:47 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 12:46:47 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 11:48:34 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 11:32:01 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 10:50:16 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 10:50:16 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 09:52:03 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 09:32:01 dnsmasq[56241]: read /etc/hosts - 30 addresses
    Apr 2 09:15:46 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 09:15:46 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 08:36:35 kernel: /: optimization changed from TIME to SPACE
    Apr 2 08:17:32 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 07:19:18 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 07:19:18 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 07:15:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 06:28:15 dhclient[15152]: bound to ...* – renewal in 153409 seconds.
    Apr 2 06:28:15 dhclient[20682]: bound to ...* – renewal in 153409 seconds.
    Apr 2 06:28:15 dhclient: Creating resolv.conf
    Apr 2 06:28:15 dhclient: Creating resolv.conf
    Apr 2 06:28:15 dhclient: RENEW
    Apr 2 06:28:15 dhclient: RENEW
    Apr 2 06:28:15 dhclient[15152]: DHCPACK from 68.87.66.18
    Apr 2 06:28:15 dhclient[20682]: DHCPACK from 68.87.66.18
    Apr 2 06:28:15 dhclient[15152]: DHCPREQUEST on re1 to 68.87.66.18 port 67
    Apr 2 06:28:15 dhclient[20682]: DHCPREQUEST on re1 to 68.87.66.18 port 67
    Apr 2 06:17:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 06:17:13 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 05:55:26 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 04:57:14 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 04:57:14 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 04:53:37 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 03:55:20 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 03:55:20 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 03:35:36 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 02:37:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 02:37:23 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Apr 2 01:39:05 dnsmasq[56241]: read /etc/hosts - 29 addresses
    Thanks!



  • I don't know why you apparently have two dhclients running for re1 (pid 15152 and 20682); one is normally sufficient.

    The IP address reported below is the IP address of the DHCP server that responded to the request:
    @rosco111:

    Apr 2 06:28:15 dhclient: RENEW
    Apr 2 06:28:15 dhclient: RENEW
    Apr 2 06:28:15 dhclient[15152]: DHCPACK from 68.87.66.18
    Apr 2 06:28:15 dhclient[20682]: DHCPACK from 68.87.66.18
    Apr 2 06:28:15 dhclient[15152]: DHCPREQUEST on re1 to 68.87.66.18 port 67
    Apr 2 06:28:15 dhclient[20682]: DHCPREQUEST on re1 to 68.87.66.18 port 67



  • None of that is indicative of someone trying to get into your network. dnsmasq re-reads /etc/hosts whenever a system inside your network gets a DHCP lease or renews one, as it has to do to maintain correct name resolution. Nothing there is unusual aside from having two dhclient PIDs though that can be normal in some unusual circumstances (like two NICs plugged into the cable modem to pull multiple IPs).


Log in to reply