oddball occurence ....
freebsd at edvax.de
Mon Sep 1 19:18:15 UTC 2014
On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote:
> On 09/01/14 12:44, Polytropon wrote:
> > On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
> >> i.e. someone apparently FTP-ing .... *something* to or from my computer
> >> ?!?!?! I don't think this should be happening (see immediately above)
> >> .... What gives ?!?!?!
> > >From your output:
> > tcp4 0 0 jaguar.12990 184.108.40.206.35089 ESTABLISHED
> > tcp4 0 0 jaguar.23210 220.127.116.11.ftp ESTABLISHED
> > Those are strange port numbers. Are you downloading something
> > from them? But then... ESTABLISHED doesn't mean CONNECTED...
> > What does "sockstat -l" say?
> Too late for that ?
That's a strange program message. :-)
> > But there are also SSH sessions which could be scp? But that
> > would imply that authorized users are using it, because you
> > probably don't run publish SSH without password on your
> > system. :-)
> I run ssh internally & to my ISP using keys, no passwords, I thought
> that was more secure :-/ .... I am not supposed to be allowing
> connections from outside my LAN to any of my boxen ....
Okay, so the SSH sessions are to be expected and authorized.
> > Regarding the address:
> >> inetnum: 18.104.22.168 - 22.214.171.124
> >> netname: FH-WOLFENBUETTEL
> >> descr: Fachhochschule Braunschweig/Wolfenbuettel
> > That's probably NTP. The FH Braunschweig is probably in
> > relation (IP-wise) with the PTB which is providing a
> > "nuclear time" input for NTP.
> > http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
> > You're running ntpd?
> Yeah, but w/ local server & peers only ....
The ntpd and ntpdate need a source to sync, maybe the PTB
is involved here? Depending on if you have "sync on start"
or "continuous monitoring", connections may appear once or
from time to time.
> Tried from shell account @ my ISP, it said nmap not found, maybe need
> root to run, but that was a nogo ....
Maybe not installed? The nmap tool is an additional program,
and running it does not require being root, only some tests
that nmap can do need to be performed as root, but a normal
TCP scan should not require it.
> tried from inside, this box & 1 other, I get the following:
> from other machine, FC14 server:
> [root at Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27
> Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
> Nmap scan report for JAGUAR (192.168.0.27)
> Host is up (0.00018s latency).
> Not shown: 995 closed ports
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420;
> protocol 2.0)
> 111/tcp open rpcbind
> 2049/tcp open rpcbind
That's for NFS.
> 515/tcp open printer BSD lpd (Unauthorized host)
> 6000/tcp open X11 (access denied)
I don't see FTP open here. This just means you cannot FTP
_into_ the machine, but you can FTP _out of_ the machine.
Maybe some download that caught your attention? Or a web
browser's FTP connection (ftp://...) to, for example, the
FreeBSD FTP server?
For example, when downloading from:
with a web browser, I see:
# netstat -a | grep ftp
tcp4 0 0 r56.46684 ftp.beastie.tdk..58441 ESTABLISHED
tcp4 0 0 r56.40750 ftp.beastie.tdk..ftp ESTABLISHED
Ha, I think we have it now - this output looks similar to
tcp4 0 0 jaguar.12990 126.96.36.199.35089 ESTABLISHED
tcp4 0 0 jaguar.23210 188.8.131.52.ftp ESTABLISHED
It seems that you've downloaded something from that machine.
This machine _is_ running a FTP server. For example, it seems
to host openoffice.org data, as well as Linux stuff.
Your nmap output suggests that _you_ are not running a FTP
Chasing ghosts... ;-)
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions