oddball occurence ....
William A. Mahaffey III
wam at hiwaay.net
Mon Sep 1 23:31:35 UTC 2014
On 09/01/14 14:18, Polytropon wrote:
> On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote:
>> On 09/01/14 12:44, Polytropon wrote:
>>> On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
>>>> i.e. someone apparently FTP-ing .... *something* to or from my computer
>>>> ?!?!?! I don't think this should be happening (see immediately above)
>>>> .... What gives ?!?!?!
>>> >From your output:
>>>
>>> tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED
>>> tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED
>>>
>>> Those are strange port numbers. Are you downloading something
>>> from them? But then... ESTABLISHED doesn't mean CONNECTED...
>>>
>>> What does "sockstat -l" say?
>> Too late for that ?
> That's a strange program message. :-)
I thought it needed to be done while things were happening ....
[root at kabini1, /etc, 6:33:59pm] 531 % sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root lpd 27062 5 stream /var/run/printer
root lpd 27062 6 tcp6 *:515 *:*
root lpd 27062 7 tcp4 *:515 *:*
wam dbus-daemo 1008 3 stream /tmp/dbus-oew1cXGFD4
wam xfce4-sess 1001 7 stream /tmp/.ICE-unix/1001
root Xorg 985 1 tcp6 *:6000 *:*
root Xorg 985 3 tcp4 *:6000 *:*
root Xorg 985 4 stream /tmp/.X11-unix/X0
root sendmail 869 3 tcp4 127.0.0.1:25 *:*
root sshd 866 3 tcp6 *:22 *:*
root sshd 866 4 tcp4 *:22 *:*
messagebus dbus-daemo808 3 stream /var/run/dbus/system_bus_socket
daemon rwhod 784 3 udp4 *:513 *:*
root ntpd 775 20 udp4 *:123 *:*
root ntpd 775 21 udp6 *:123 *:*
root ntpd 775 22 udp4 192.168.0.27:123 *:*
root ntpd 775 23 udp6 fe80:1::d250:99ff:fe13:e385:123 *:*
root ntpd 775 24 udp6 ::1:123 *:*
root ntpd 775 25 udp6 fe80:9::1:123 *:*
root ntpd 775 26 udp4 127.0.0.1:123 *:*
root nfsd 737 5 tcp4 *:2049 *:*
root nfsd 737 6 tcp6 *:2049 *:*
root mountd 735 5 udp6 *:849 *:*
root mountd 735 6 tcp6 *:849 *:*
root mountd 735 7 udp4 *:849 *:*
root mountd 735 8 tcp4 *:849 *:*
root amd 687 4 udp4 *:1023 *:*
root amd 687 5 udp4 *:1022 *:*
root amd 687 6 tcp4 *:907 *:*
root amd 687 7 udp4 *:928 *:*
root rpcbind 685 4 udp6 *:* *:*
root rpcbind 685 5 stream /var/run/rpcbind.sock
root rpcbind 685 6 udp6 *:111 *:*
root rpcbind 685 7 udp6 *:658 *:*
root rpcbind 685 8 tcp6 *:111 *:*
root rpcbind 685 9 udp4 *:111 *:*
root rpcbind 685 10 udp4 *:743 *:*
root rpcbind 685 11 tcp4 *:111 *:*
root syslogd 647 4 dgram /var/run/log
root syslogd 647 5 dgram /var/run/logpriv
root syslogd 647 6 udp6 *:514 *:*
root syslogd 647 7 udp4 *:514 *:*
root devd 490 4 stream /var/run/devd.pipe
? ? ? ? udp6 *:2049 *:*
? ? ? ? udp4 *:2049 *:*
[root at kabini1, /etc, 6:35:06pm] 532 %
>
>
>
>>> But there are also SSH sessions which could be scp? But that
>>> would imply that authorized users are using it, because you
>>> probably don't run publish SSH without password on your
>>> system. :-)
>>
>> I run ssh internally & to my ISP using keys, no passwords, I thought
>> that was more secure :-/ .... I am not supposed to be allowing
>> connections from outside my LAN to any of my boxen ....
> Okay, so the SSH sessions are to be expected and authorized.
>
>
>
>>> Regarding the address:
>>>
>>>> inetnum: 141.41.0.0 - 141.41.255.255
>>>> netname: FH-WOLFENBUETTEL
>>>> descr: Fachhochschule Braunschweig/Wolfenbuettel
>>> That's probably NTP. The FH Braunschweig is probably in
>>> relation (IP-wise) with the PTB which is providing a
>>> "nuclear time" input for NTP.
>>>
>>> http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
>>>
>>> You're running ntpd?
>>
>> Yeah, but w/ local server & peers only ....
> The ntpd and ntpdate need a source to sync, maybe the PTB
> is involved here? Depending on if you have "sync on start"
> or "continuous monitoring", connections may appear once or
> from time to time.
>
>
>
>> Tried from shell account @ my ISP, it said nmap not found, maybe need
>> root to run, but that was a nogo ....
> Maybe not installed? The nmap tool is an additional program,
> and running it does not require being root, only some tests
> that nmap can do need to be performed as root, but a normal
> TCP scan should not require it.
>
>
>
>> tried from inside, this box & 1 other, I get the following:
>>
>> from other machine, FC14 server:
>>
>>
>> [root at Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27
>>
>> Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
>> Nmap scan report for JAGUAR (192.168.0.27)
>> Host is up (0.00018s latency).
>> Not shown: 995 closed ports
>> PORT STATE SERVICE VERSION
>> 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420;
>> protocol 2.0)
> Intended.
>
>
>
>> 111/tcp open rpcbind
>> 2049/tcp open rpcbind
> That's for NFS.
>
>
>
>> 515/tcp open printer BSD lpd (Unauthorized host)
>> 6000/tcp open X11 (access denied)
> I don't see FTP open here. This just means you cannot FTP
> _into_ the machine, but you can FTP _out of_ the machine.
> Maybe some download that caught your attention? Or a web
> browser's FTP connection (ftp://...) to, for example, the
> FreeBSD FTP server?
>
> For example, when downloading from:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE
>
> with a web browser, I see:
>
> # netstat -a | grep ftp
> tcp4 0 0 r56.46684 ftp.beastie.tdk..58441 ESTABLISHED
> tcp4 0 0 r56.40750 ftp.beastie.tdk..ftp ESTABLISHED
>
> Ha, I think we have it now - this output looks similar to
> yours. Compare:
>
> tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED
> tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED
>
> It seems that you've downloaded something from that machine.
> This machine _is_ running a FTP server. For example, it seems
> to host openoffice.org data, as well as Linux stuff.
>
> Your nmap output suggests that _you_ are not running a FTP
> server.
>
> Chasing ghosts... ;-)
>
>
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
More information about the freebsd-questions
mailing list