Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 1 Sep 2014 21:18:06 +0200
From:      Polytropon <freebsd@edvax.de>
To:        "William A. Mahaffey III" <wam@hiwaay.net>
Cc:        FreeBSD Questions !!!! <freebsd-questions@freebsd.org>
Subject:   Re: oddball occurence ....
Message-ID:  <20140901211806.7935e5d5.freebsd@edvax.de>
In-Reply-To: <5404BBDF.90804@hiwaay.net>
References:  <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de> <5404BBDF.90804@hiwaay.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote:
> 
> On 09/01/14 12:44, Polytropon wrote:
> > On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
> >> i.e. someone apparently FTP-ing .... *something* to or from my computer
> >> ?!?!?! I don't think this should be happening (see immediately above)
> >> .... What gives ?!?!?!
> > >From your output:
> >
> > tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
> > tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED
> >
> > Those are strange port numbers. Are you downloading something
> > from them? But then... ESTABLISHED doesn't mean CONNECTED...
> >
> > What does "sockstat -l" say?
> 
> Too late for that ?

That's a strange program message. :-)



> > But there are also SSH sessions which could be scp? But that
> > would imply that authorized users are using it, because you
> > probably don't run publish SSH without password on your
> > system. :-)
> 
> 
> I run ssh internally & to my ISP using keys, no passwords, I thought 
> that was more secure :-/ .... I am not supposed to be allowing 
> connections from outside my LAN to any of my boxen ....

Okay, so the SSH sessions are to be expected and authorized.



> > Regarding the address:
> >
> >> inetnum:        141.41.0.0 - 141.41.255.255
> >> netname:        FH-WOLFENBUETTEL
> >> descr:          Fachhochschule Braunschweig/Wolfenbuettel
> > That's probably NTP. The FH Braunschweig is probably in
> > relation (IP-wise) with the PTB which is providing a
> > "nuclear time" input for NTP.
> >
> > http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
> >
> > You're running ntpd?
> 
> 
> Yeah, but w/ local server & peers only ....

The ntpd and ntpdate need a source to sync, maybe the PTB
is involved here? Depending on if you have "sync on start"
or "continuous monitoring", connections may appear once or
from time to time.



> Tried from shell account @ my ISP, it said nmap not found, maybe need 
> root to run, but that was a nogo ....

Maybe not installed? The nmap tool is an additional program,
and running it does not require being root, only some tests
that nmap can do need to be performed as root, but a normal
TCP scan should not require it.



> tried from inside, this box & 1 other, I get the following:
> 
> from other machine, FC14 server:
> 
> 
> [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27
> 
> Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
> Nmap scan report for JAGUAR (192.168.0.27)
> Host is up (0.00018s latency).
> Not shown: 995 closed ports
> PORT     STATE SERVICE VERSION
> 22/tcp   open  ssh     OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; 
> protocol 2.0)

Intended.



> 111/tcp  open  rpcbind
> 2049/tcp open  rpcbind

That's for NFS.



> 515/tcp  open  printer BSD lpd (Unauthorized host)
> 6000/tcp open  X11     (access denied)

I don't see FTP open here. This just means you cannot FTP
_into_ the machine, but you can FTP _out of_ the machine.
Maybe some download that caught your attention? Or a web
browser's FTP connection (ftp://...) to, for example, the
FreeBSD FTP server?

For example, when downloading from:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE

with a web browser, I see:

# netstat -a | grep ftp
tcp4       0      0 r56.46684              ftp.beastie.tdk..58441 ESTABLISHED
tcp4       0      0 r56.40750              ftp.beastie.tdk..ftp   ESTABLISHED

Ha, I think we have it now - this output looks similar to
yours. Compare:

tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED

It seems that you've downloaded something from that machine.
This machine _is_ running a FTP server. For example, it seems
to host openoffice.org data, as well as Linux stuff.

Your nmap output suggests that _you_ are not running a FTP
server.

Chasing ghosts... ;-)


-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140901211806.7935e5d5.freebsd>