oddball occurence ....
William A. Mahaffey III
wam at hiwaay.net
Mon Sep 1 18:26:51 UTC 2014
On 09/01/14 12:44, Polytropon wrote:
> On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
>> i.e. someone apparently FTP-ing .... *something* to or from my computer
>> ?!?!?! I don't think this should be happening (see immediately above)
>> .... What gives ?!?!?!
> >From your output:
>
> tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED
> tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED
>
> Those are strange port numbers. Are you downloading something
> from them? But then... ESTABLISHED doesn't mean CONNECTED...
>
> What does "sockstat -l" say?
Too late for that ?
>
> But there are also SSH sessions which could be scp? But that
> would imply that authorized users are using it, because you
> probably don't run publish SSH without password on your
> system. :-)
I run ssh internally & to my ISP using keys, no passwords, I thought
that was more secure :-/ .... I am not supposed to be allowing
connections from outside my LAN to any of my boxen ....
>
> Regarding the address:
>
>> inetnum: 141.41.0.0 - 141.41.255.255
>> netname: FH-WOLFENBUETTEL
>> descr: Fachhochschule Braunschweig/Wolfenbuettel
> That's probably NTP. The FH Braunschweig is probably in
> relation (IP-wise) with the PTB which is providing a
> "nuclear time" input for NTP.
>
> http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
>
> You're running ntpd?
Yeah, but w/ local server & peers only ....
>
> The IP 41.41.9.9 is from the FH Braunschweig range, but I
> can't say what particular computer. One in a lab, compromized?
> It's doing TCP connections.
>
>
>
>> Any help on this matter appreciated !!!! This box is *NOT* a public
>> server, & I thought it was pretty well locked down :-/ ....
> First thing: Run nmap on your public IP, just to check that
> your firewall rules are correct. A nice concept is "close
> all ports, only open those you need", and FTP probably is
> one you don't intend to need. If you see open FTP ports,
> adjust your firewall rules. Examining for strange scp
> connections, you can always use tcpdump on your public
> interface to see what's going in and out your machine.
> Wireshark (ex Ethereal) is also a nice tool for that task.
Tried from shell account @ my ISP, it said nmap not found, maybe need
root to run, but that was a nogo ....
tried from inside, this box & 1 other, I get the following:
from other machine, FC14 server:
[root at Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27
Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
Nmap scan report for JAGUAR (192.168.0.27)
Host is up (0.00018s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420;
protocol 2.0)
| ssh-hostkey: 1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA)
|_2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA)
111/tcp open rpcbind
| rpcinfo:
| 100000 2,3,4 111/udp rpcbind
| 100005 1,3 849/udp mountd
| 300019 1 928/udp amd
| 100003 2,3 2049/udp nfs
| 100000 2,3,4 111/tcp rpcbind
| 100005 1,3 849/tcp mountd
| 300019 1 907/tcp amd
| 100003 2,3 2049/tcp nfs
|_100000 2,3,4 111/7 rpcbind
515/tcp open printer BSD lpd (Unauthorized host)
2049/tcp open rpcbind
6000/tcp open X11 (access denied)
MAC Address: D0:50:99:13:E3:85 (Unknown)
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING) : FreeBSD 7.X|8.X|5.X|6.X|5.x (99%), VMware ESX
Server 3.X|4.X (91%)
Aggressive OS guesses: FreeBSD 7.0-BETA4 - 7.0 (99%), FreeNAS 0.7
(FreeBSD 7.2-RELEASE) (96%), FreeBSD 7.0-RELEASE-p1 - 8.0-CURRENT (95%),
FreeBSD 7.1-RELEASE (95%), FreeBSD 7.2-RELEASE (95%), FreeBSD 8.0-BETA2
- 8.0-RC2 (95%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (95%), FreeBSD
7.0-RELEASE (95%), FreeBSD 7.0-BETA2 (custom compiled) (94%), FreeBSD
7.0-CURRENT (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: kabini1; OSs: FreeBSD, Unix
HOP RTT ADDRESS
1 0.18 ms JAGUAR (192.168.0.27)
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds
[root at Q6600:/etc, Mon Sep 01, 01:24 PM] 1013 #
running it on myself:
[root at kabini1, /etc, 1:21:48pm] 527 % nmap -A -T4 192.168.0.27
Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-01 13:21 CDT
Warning: 192.168.0.27 giving up on port because retransmission cap hit (6).
Nmap scan report for jaguar (192.168.0.27)
Host is up (0.000084s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420;
protocol 2.0)
| ssh-hostkey:
| 1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA)
| 2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA)
|_ 256 8b:24:39:58:3e:85:79:d3:c9:47:da:85:c4:7b:33:50 (ECDSA)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/7 rpcbind
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 849/tcp mountd
| 100005 1,3 849/udp mountd
| 300019 1 907/tcp amd
|_ 300019 1 928/udp amd
515/tcp open printer BSD lpd (Unauthorized host)
2049/tcp open nfs 2-3 (RPC #100003)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/7 rpcbind
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100003 2,3 2049/tcp nfs
| 100003 2,3 2049/udp nfs
| 100005 1,3 849/tcp mountd
| 100005 1,3 849/udp mountd
| 300019 1 907/tcp amd
|_ 300019 1 928/udp amd
6000/tcp open X11 (access denied)
Device type: general purpose
Running: FreeBSD 8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 8.0-BETA2 - 9.1-RELEASE
Network Distance: 0 hops
Service Info: Host: kabini1; OSs: FreeBSD, Unix; CPE: cpe:/o:freebsd:freebsd
OS and Service detection performed. Please report any incorrect results
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds
[root at kabini1, /etc, 1:23:21pm] 528 %
>
>
>
> Sidenote in relation to your signature:
>> "The M1 Garand is without doubt the finest implement of war
>> ever devised by man."
>> -- Gen. George S. Patton Jr.
> See: "If programming languages were weapons":
>
> http://bjorn.tipling.com/if-programming-languages-were-weapons
>
> You're obviously refering to C. ;-)
>
>
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
More information about the freebsd-questions
mailing list