oddball occurence ....

Polytropon freebsd at edvax.de
Mon Sep 1 17:44:41 UTC 2014 

On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
> i.e. someone apparently FTP-ing .... *something* to or from my computer 
> ?!?!?! I don't think this should be happening (see immediately above) 
> .... What gives ?!?!?!

>From your output:

tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED

Those are strange port numbers. Are you downloading something
from them? But then... ESTABLISHED doesn't mean CONNECTED...

What does "sockstat -l" say?

But there are also SSH sessions which could be scp? But that
would imply that authorized users are using it, because you
probably don't run publish SSH without password on your
system. :-)

Regarding the address:

> inetnum:        141.41.0.0 - 141.41.255.255
> netname:        FH-WOLFENBUETTEL
> descr:          Fachhochschule Braunschweig/Wolfenbuettel

That's probably NTP. The FH Braunschweig is probably in
relation (IP-wise) with the PTB which is providing a
"nuclear time" input for NTP.

http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt

You're running ntpd?

The IP 41.41.9.9 is from the FH Braunschweig range, but I
can't say what particular computer. One in a lab, compromized?
It's doing TCP connections.



> Any help on this matter appreciated !!!! This box is *NOT* a public 
> server, & I thought it was pretty well locked down :-/ ....

First thing: Run nmap on your public IP, just to check that
your firewall rules are correct. A nice concept is "close
all ports, only open those you need", and FTP probably is
one you don't intend to need. If you see open FTP ports,
adjust your firewall rules. Examining for strange scp
connections, you can always use tcpdump on your public
interface to see what's going in and out your machine.
Wireshark (ex Ethereal) is also a nice tool for that task.



Sidenote in relation to your signature:
> 	"The M1 Garand is without doubt the finest implement of war
> 	 ever devised by man."
>                             -- Gen. George S. Patton Jr.

See: "If programming languages were weapons":

http://bjorn.tipling.com/if-programming-languages-were-weapons

You're obviously refering to C. ;-)


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list