From owner-freebsd-questions@FreeBSD.ORG Mon Sep 1 13:31:50 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 864563BE for ; Mon, 1 Sep 2014 13:31:50 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4F9071C7E for ; Mon, 1 Sep 2014 13:31:49 +0000 (UTC) Received: from [192.168.0.27] (rbn1-216-180-19-47.adsl.hiwaay.net [216.180.19.47]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s81DVgo0031717 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 1 Sep 2014 08:31:42 -0500 Message-ID: <540476B5.7080107@hiwaay.net> Date: Mon, 01 Sep 2014 08:37:57 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: "FreeBSD Questions !!!!" Subject: oddball occurence .... Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 13:31:50 -0000 .... I have been online for the last hour or so, E-mails, a bit of browsing, etc. I noticed my DSL modem light was flashing furiously, indicating traffic. I wasn't doing anything right then, so I poked around a bit: [root@kabini1, /etc, 8:27:40am] 461 % netstat Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 jaguar.56481 fly.hiwaay.net.pop3 LAST_ACK tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED tcp4 0 0 jaguar.796 q6600.nfsd CLOSED tcp4 0 0 jaguar.946 opty165a.nfsd CLOSED tcp4 0 0 jaguar.609 opty165a.nfsd CLOSED tcp4 0 0 jaguar.656 cube.nfsd CLOSED tcp4 0 0 jaguar.64819 cube.ssh ESTABLISHED tcp4 0 0 jaguar.51061 cube.ssh ESTABLISHED tcp4 0 0 jaguar.18555 cube.ssh ESTABLISHED tcp4 0 0 jaguar.59878 q6600.ssh ESTABLISHED tcp4 0 0 jaguar.42428 q6600.ssh ESTABLISHED tcp4 0 0 jaguar.55008 q6600.ssh ESTABLISHED tcp4 0 0 jaguar.34995 q6600.ssh ESTABLISHED tcp4 0 0 jaguar.24529 q6600.ssh ESTABLISHED tcp4 0 0 jaguar.18288 q6600.ssh ESTABLISHED udp4 0 0 localhost.ntp *.* udp6 0 0 fe80:9::1.ntp *.* udp6 0 0 localhost.ntp *.* udp6 0 0 fe80:1::d250:99f.ntp *.* udp4 0 0 jaguar.ntp *.* udp4 0 0 localhost.701 localhost.exp2 udp4 0 0 localhost.760 localhost.exp2 Active UNIX domain sockets [root@kabini1, /etc, 8:30:10am] 462 % ipfw show 00100 13986 1407718 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 0 0 deny ip from any to ::1 00500 0 0 deny ip from ::1 to any 00600 0 0 allow ipv6-icmp from :: to ff02::/16 00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10 00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16 00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1 01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136 01100 0 0 check-state 01200 42560 2786580 allow tcp from me to any established 01300 5405049 5134760747 allow tcp from me to any setup keep-state 01400 93689 7505177 allow udp from me to any keep-state 01500 286 22736 allow icmp from me to any keep-state 01600 0 0 allow ipv6-icmp from me to any keep-state 01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out 01800 0 0 allow udp from any 67 to me dst-port 68 in 01900 0 0 allow udp from any 67 to 255.255.255.255 dst-port 68 in 02000 0 0 allow udp from fe80::/10 to me dst-port 546 in 02100 0 0 allow icmp from any to any icmptypes 8 02200 0 0 allow ipv6-icmp from any to any ip6 icmp6types 128,129 02300 1866 104640 allow icmp from any to any icmptypes 3,4,11 02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3 02500 68928 93614292 allow tcp from 192.168.0.0/16 to me 65000 8026 1595948 count ip from any to any 65100 7955 1584861 deny { tcp or udp } from any to any dst-port 111,137,138,513 in 65200 0 0 deny { tcp or udp } from 192.168.0.0/16 to me 65300 0 0 deny ip from any to 255.255.255.255 65400 0 0 deny ip from any to 224.0.0.0/24 in 65500 0 0 deny udp from any to any dst-port 520 in 65500 51 9692 deny tcp from any 80,443 to any dst-port 1024-65535 in 65500 20 1395 deny log logamount 5000 ip from any to any 65535 0 0 deny ip from any to any [root@kabini1, /etc, 8:30:34am] 463 % service ftpd status Cannot 'status' ftpd. Set ftpd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'. [root@kabini1, /etc, 8:31:14am] 464 % service ftpd onestatus ftpd is not running. [root@kabini1, /etc, 8:31:18am] 465 % service inetd status Cannot 'status' inetd. Set inetd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'. [root@kabini1, /etc, 8:31:25am] 466 % service inetd onestatus inetd is not running. [root@kabini1, /etc, 8:31:30am] 467 % i.e. someone apparently FTP-ing .... *something* to or from my computer ?!?!?! I don't think this should be happening (see immediately above) .... What gives ?!?!?! whois on that address shows: [root@kabini1, /etc, 8:17:32am] 529 % whois 141.41.9.9 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # http://www.arin.net/public/whoisinaccuracy/index.xhtml # # # Query terms are ambiguous. The query is assumed to be: # "n 141.41.9.9" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=141.41.9.9?showDetails=true&showARIN=false&ext=netref2 # NetRange: 141.0.0.0 - 141.255.255.255 CIDR: 141.0.0.0/8 OriginAS: NetName: RIPE-ERX-141 NetHandle: NET-141-0-0-0-0 Parent: NetType: Early Registrations, Maintained by RIPE NCC Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1993-05-01 Updated: 2009-05-18 Ref: http://whois.arin.net/rest/net/NET-141-0-0-0-0 OrgName: RIPE Network Coordination Centre OrgId: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL RegDate: Updated: 2013-07-29 Ref: http://whois.arin.net/rest/org/RIPE ReferralServer: whois://whois.ripe.net:43 OrgAbuseHandle: ABUSE3850-ARIN OrgAbuseName: Abuse Contact OrgAbusePhone: +31205354444 OrgAbuseEmail: abuse@ripe.net OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3850-ARIN OrgTechHandle: RNO29-ARIN OrgTechName: RIPE NCC Operations OrgTechPhone: +31 20 535 4444 OrgTechEmail: hostmaster@ripe.net OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # http://www.arin.net/public/whoisinaccuracy/index.xhtml # % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '141.41.0.0 - 141.41.255.255' % No abuse contact registered for 141.41.0.0 - 141.41.255.255 inetnum: 141.41.0.0 - 141.41.255.255 netname: FH-WOLFENBUETTEL descr: Fachhochschule Braunschweig/Wolfenbuettel descr: Wolfenbuettel country: DE admin-c: CK405-RIPE tech-c: CK405-RIPE status: LEGACY remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: DFN-LIR-MNT mnt-irt: IRT-DFN-CERT mnt-routes: DFN-MNT source: RIPE # Filtered person: Claudia Keune address: Ostfalia Hochschule fuer angewandte Wissenschaften address: Rechenzentrum address: Salzdahlumer Str. 46/48 address: 38302 Wolfenbuettel address: Germany phone: +49 5331 939 19210 fax-no: +49 5331 939 19102 nic-hdl: CK405-RIPE mnt-by: DFN-NTFY source: RIPE # Filtered % Information related to '141.41.0.0/16AS680' route: 141.41.0.0/16 descr: DFN-FH-WOLF origin: AS680 mnt-by: DFN-MNT source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.75 (DB-3) You have new mail. [root@kabini1, /etc, 8:28:36am] 530 % Any help on this matter appreciated !!!! This box is *NOT* a public server, & I thought it was pretty well locked down :-/ .... -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.