From owner-freebsd-isp@FreeBSD.ORG Thu May 22 16:30:14 2003 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ABB137B401 for ; Thu, 22 May 2003 16:30:14 -0700 (PDT) Received: from inet03.citec.qld.gov.au (inet03.citec.qld.gov.au [203.5.10.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B9D143FDD for ; Thu, 22 May 2003 16:30:12 -0700 (PDT) (envelope-from sgcccdc@citec.qld.gov.au) Received: by inet03.citec.qld.gov.au; id h4MNUB317059; Fri, 23 May 2003 09:30:11 +1000 (EST) Received: from inetbml1.citec.qld.gov.au( 147.132.176.90) by inet03.citec.qld.gov.au via smap (V2.0) id xma016262; Fri, 23 May 03 09:29:54 +1000 Received: from guru.citec.qld.gov.au (guru.cfmu.citec.qld.gov.au [147.132.22.88]) by inetbml1.citec.qld.gov.au (Postfix) with ESMTP id 370C560175 for ; Fri, 23 May 2003 09:29:54 +1000 (EST) Received: from guru.citec.qld.gov.au (localhost.citec.qld.gov.au [127.0.0.1]) by guru.citec.qld.gov.au (Postfix) with SMTP id CCF54D92A for ; Fri, 23 May 2003 09:29:53 +1000 (EST) Date: Fri, 23 May 2003 09:29:53 +1000 From: Colin Campbell To: freebsd-isp@freebsd.org Message-Id: <20030523092953.363eaab5.sgcccdc@citec.qld.gov.au> In-Reply-To: <20030522112239.GB22219@users.munk.nu> References: <20030522112239.GB22219@users.munk.nu> Organization: Citec X-Mailer: Sylpheed version 0.8.9 (GTK+ 1.2.10; i386-unknown-freebsd4.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Determining what process/uid is attempting a network connection X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 May 2003 23:30:14 -0000 Hi, On Thu, 22 May 2003 12:22:39 +0100 Jez Hancock wrote: > Hi, > > I have a large number of user processes (eggdrops) connected to numerous > networks and recently started noticing a number of connection attempts > outgoing to a reserved network address, 0.0.13.5. My firewall logs > show: > > May 21 00:00:22 users ipmon[62]: 00:00:21.557455 fxp0 @0:12 b > 213.152.51.194,4138 -> 0.0.13.5,3333 PR tcp len 20 60 -S OUT May 21 00:00:22 > users ipmon[62]: 00:00:21.557529 fxp0 @0:12 b 213.152.51.194,4139 -> > 0.0.13.5,3334 PR tcp len 20 60 -S OUT May 21 00:00:22 users ipmon[62]: > 00:00:21.557578 fxp0 @0:12 b 213.152.51.194,4140 -> 0.0.13.5,3335 PR tcp len > 20 60 -S OUT May 21 00:00:22 users ipmon[62]: 00:00:21.557625 fxp0 @0:12 b > 213.152.51.194,4141 -> 0.0.13.5,3336 PR tcp len 20 60 -S OUT > > > How can I determine what process is spawning this connection attempt and > the uid of the process? Try "sockstat" or install "lsof". Colin -- Colin Campbell Unix Support/Postmaster/Hostmaster CITEC +61 7 3227 6334