Hallo noway2,
I already know that this IP is Google !! That was the first thing I figured out !
And I agree that I don't believe that google forces for any reason access to my computers !
But we should stop believing and start knowing.

And I know that hackers compromising other networks for sure do not use their own IP and MAC address !
beep, bad answer !

Fact is that that a computer with this IP is able to go through my netgear router, actually configured to REJECT all incoming connections !
Evidence of firewall accepted ?
Or reacts my firewall paranoid, just while somebody tries to connect in STEALTH mode at port 80 even their is no
webserver at this computer.

Fact is that I am asking more experienced people actually Linuxquestions.org if they can tell me why sometimes a username appears at login
that actually has be empty ?
Fact is as well that I had bluetooth processes with high priority that couldn't get killed even I do not got a bluetooth device !
I will not repeat the other facts described before.

Fact is as well, that you don't got any idea what causes that issues.

If you don't trust me or do not understand what's on, why do you contribute such totally useless attempts of help ?
I want facts and solutions from professionals, sorry but your contribution was NO help at all .

The only helpful ideas came fro unSpawn.
thanks , a little bit disappointed
robeich

Dear linuxquestions,
I really get rid of totally unqualified answers to that incidents described earlier in this thread.
If I have a look at some answers, it seems that people should keep staying with facebook and
not pretend technical qualifications they obviously do NOT have.
There are definitely some people answering my questions overestimating their own qualifications !
And to cover up their lack of understanding of very simple to understand very serious security
issues like attacks over port 80 going through at least one firewall will be commented with sentences like this

"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."

The only person for my point of view is knowing what he is doing is unSpawn !

I started this thread so I am the person to close this thread !
This thread is hereby closed.

One last thing I have to say, after getting more information from very qualified persons.
I doubt that after changes done in Kernel 2,6 udev replacing fstab and .. it will be possible to keep a system really secure.

robeich

LQ is a community of volunteers that try to help other people. While there are professionals here, not all of us are, but most people here are knowledgeable at least in a few parts of the Linux system. We give away our free time to help people, and do our best with it.

If that is not good enough for you, you should buy professional support. Only then you have the right to blame the people that are trying to help you for not getting a solution for you.

Hi Tobi,
Thanks for that hint but I already bought professional support !
But I really would recommend to some members stopping HELP like this :

"Given the level of paranoia you are expressing on a public forum, I can only guess how you come across in person. *It would not surprise me in the least to learn that someone is deliberately "yanking your chain" for lulz."

As well I'm really missing one question to my firewall entries:
May 20 10:45:04 Mac-Users-MacBook Firewall[55]: Stealth Mode
connection attempt to TCP 192.168.1.40:49279 from 209.85.143.99:80
May 20 10:45:12: --- last message repeated 3 times ---

A experienced person had asked something like this :
Please show me the entries before that entry, did you googled earlier this day ?
No I did not !
regards
robeich

There is a small group of Incident Response handlers that patrol the Linuxquestions.org Security forum. They are dedicated, knowledgeable and from my experience completely trustworthy. Noway2 is one of them and I'd say you should not misjudge him solely based on two OT sentences.


Break that apart and you get:
Given the servers address (AS15169 belongs to a popular search engine company) this could be due to network issues rather than malicious activity. You should not see ipfw log this often.

@robeich, please accept my apologies on my ill chosen words. I honestly meant no offense. I was responding to the multiple statements and your question in your post as to whether or not you were appearing overly concerned about these events. I once had a machine that had a mysterious user name appear on the login screen. It turned out that it was a co-worker attempting to login with his name and this reminded me of your situation. My concern was that if you mentioned these events to someone with physical access to the machine that they may be behind this and they may find it fun, especially if they knew you were concerned about it.

It is also apparent that you are studious about examining your log files. This is a good thing and is one of the most effective things you can do to keep your system safe. In my opinion, this puts you ahead of many users when it comes to maintaining the security of your systems. You have identified some pieces of traffic that appeared out of the ordinary. These entries can be caused by routine scanning traffic (think of it being like air traffic control radar) and malfunctions in the networks, as unSpawn pointed out.

You know how to tell if it's physical or remote access?

Hide the keyboard. No one else can log in physically if there's no keys to press :D