From owner-freebsd-questions@FreeBSD.ORG Mon Sep 1 18:26:51 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7CC41206 for ; Mon, 1 Sep 2014 18:26:51 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 461521EEA for ; Mon, 1 Sep 2014 18:26:50 +0000 (UTC) Received: from [192.168.0.27] (rbn1-216-180-19-108.adsl.hiwaay.net [216.180.19.108]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s81IQmA0011994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 1 Sep 2014 13:26:49 -0500 Message-ID: <5404BBDF.90804@hiwaay.net> Date: Mon, 01 Sep 2014 13:33:03 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 CC: "FreeBSD Questions !!!!" Subject: Re: oddball occurence .... References: <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de> In-Reply-To: <20140901194431.f2a33b87.freebsd@edvax.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 18:26:51 -0000 On 09/01/14 12:44, Polytropon wrote: > On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: >> i.e. someone apparently FTP-ing .... *something* to or from my computer >> ?!?!?! I don't think this should be happening (see immediately above) >> .... What gives ?!?!?! > >From your output: > > tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED > tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED > > Those are strange port numbers. Are you downloading something > from them? But then... ESTABLISHED doesn't mean CONNECTED... > > What does "sockstat -l" say? Too late for that ? > > But there are also SSH sessions which could be scp? But that > would imply that authorized users are using it, because you > probably don't run publish SSH without password on your > system. :-) I run ssh internally & to my ISP using keys, no passwords, I thought that was more secure :-/ .... I am not supposed to be allowing connections from outside my LAN to any of my boxen .... > > Regarding the address: > >> inetnum: 141.41.0.0 - 141.41.255.255 >> netname: FH-WOLFENBUETTEL >> descr: Fachhochschule Braunschweig/Wolfenbuettel > That's probably NTP. The FH Braunschweig is probably in > relation (IP-wise) with the PTB which is providing a > "nuclear time" input for NTP. > > http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt > > You're running ntpd? Yeah, but w/ local server & peers only .... > > The IP 41.41.9.9 is from the FH Braunschweig range, but I > can't say what particular computer. One in a lab, compromized? > It's doing TCP connections. > > > >> Any help on this matter appreciated !!!! This box is *NOT* a public >> server, & I thought it was pretty well locked down :-/ .... > First thing: Run nmap on your public IP, just to check that > your firewall rules are correct. A nice concept is "close > all ports, only open those you need", and FTP probably is > one you don't intend to need. If you see open FTP ports, > adjust your firewall rules. Examining for strange scp > connections, you can always use tcpdump on your public > interface to see what's going in and out your machine. > Wireshark (ex Ethereal) is also a nice tool for that task. Tried from shell account @ my ISP, it said nmap not found, maybe need root to run, but that was a nogo .... tried from inside, this box & 1 other, I get the following: from other machine, FC14 server: [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27 Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT Nmap scan report for JAGUAR (192.168.0.27) Host is up (0.00018s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; protocol 2.0) | ssh-hostkey: 1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA) |_2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA) 111/tcp open rpcbind | rpcinfo: | 100000 2,3,4 111/udp rpcbind | 100005 1,3 849/udp mountd | 300019 1 928/udp amd | 100003 2,3 2049/udp nfs | 100000 2,3,4 111/tcp rpcbind | 100005 1,3 849/tcp mountd | 300019 1 907/tcp amd | 100003 2,3 2049/tcp nfs |_100000 2,3,4 111/7 rpcbind 515/tcp open printer BSD lpd (Unauthorized host) 2049/tcp open rpcbind 6000/tcp open X11 (access denied) MAC Address: D0:50:99:13:E3:85 (Unknown) Device type: general purpose|storage-misc|specialized Running (JUST GUESSING) : FreeBSD 7.X|8.X|5.X|6.X|5.x (99%), VMware ESX Server 3.X|4.X (91%) Aggressive OS guesses: FreeBSD 7.0-BETA4 - 7.0 (99%), FreeNAS 0.7 (FreeBSD 7.2-RELEASE) (96%), FreeBSD 7.0-RELEASE-p1 - 8.0-CURRENT (95%), FreeBSD 7.1-RELEASE (95%), FreeBSD 7.2-RELEASE (95%), FreeBSD 8.0-BETA2 - 8.0-RC2 (95%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (95%), FreeBSD 7.0-RELEASE (95%), FreeBSD 7.0-BETA2 (custom compiled) (94%), FreeBSD 7.0-CURRENT (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: kabini1; OSs: FreeBSD, Unix HOP RTT ADDRESS 1 0.18 ms JAGUAR (192.168.0.27) OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds [root@Q6600:/etc, Mon Sep 01, 01:24 PM] 1013 # running it on myself: [root@kabini1, /etc, 1:21:48pm] 527 % nmap -A -T4 192.168.0.27 Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-01 13:21 CDT Warning: 192.168.0.27 giving up on port because retransmission cap hit (6). Nmap scan report for jaguar (192.168.0.27) Host is up (0.000084s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; protocol 2.0) | ssh-hostkey: | 1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA) | 2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA) |_ 256 8b:24:39:58:3e:85:79:d3:c9:47:da:85:c4:7b:33:50 (ECDSA) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/7 rpcbind | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 849/tcp mountd | 100005 1,3 849/udp mountd | 300019 1 907/tcp amd |_ 300019 1 928/udp amd 515/tcp open printer BSD lpd (Unauthorized host) 2049/tcp open nfs 2-3 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/7 rpcbind | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,3 849/tcp mountd | 100005 1,3 849/udp mountd | 300019 1 907/tcp amd |_ 300019 1 928/udp amd 6000/tcp open X11 (access denied) Device type: general purpose Running: FreeBSD 8.X|9.X OS CPE: cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9 OS details: FreeBSD 8.0-BETA2 - 9.1-RELEASE Network Distance: 0 hops Service Info: Host: kabini1; OSs: FreeBSD, Unix; CPE: cpe:/o:freebsd:freebsd OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds [root@kabini1, /etc, 1:23:21pm] 528 % > > > > Sidenote in relation to your signature: >> "The M1 Garand is without doubt the finest implement of war >> ever devised by man." >> -- Gen. George S. Patton Jr. > See: "If programming languages were weapons": > > http://bjorn.tipling.com/if-programming-languages-were-weapons > > You're obviously refering to C. ;-) > > -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.