From owner-freebsd-questions@FreeBSD.ORG Mon Sep 1 19:18:15 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BC5DFCAE for ; Mon, 1 Sep 2014 19:18:15 +0000 (UTC) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68B02157C for ; Mon, 1 Sep 2014 19:18:15 +0000 (UTC) Received: from r56.edvax.de (port-92-195-111-1.dynamic.qsc.de [92.195.111.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id 61E1A3CC7F; Mon, 1 Sep 2014 21:18:07 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id s81JI6rB002776; Mon, 1 Sep 2014 21:18:06 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 1 Sep 2014 21:18:06 +0200 From: Polytropon To: "William A. Mahaffey III" Subject: Re: oddball occurence .... Message-Id: <20140901211806.7935e5d5.freebsd@edvax.de> In-Reply-To: <5404BBDF.90804@hiwaay.net> References: <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de> <5404BBDF.90804@hiwaay.net> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions !!!! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 19:18:15 -0000 On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote: > > On 09/01/14 12:44, Polytropon wrote: > > On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: > >> i.e. someone apparently FTP-ing .... *something* to or from my computer > >> ?!?!?! I don't think this should be happening (see immediately above) > >> .... What gives ?!?!?! > > >From your output: > > > > tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED > > tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED > > > > Those are strange port numbers. Are you downloading something > > from them? But then... ESTABLISHED doesn't mean CONNECTED... > > > > What does "sockstat -l" say? > > Too late for that ? That's a strange program message. :-) > > But there are also SSH sessions which could be scp? But that > > would imply that authorized users are using it, because you > > probably don't run publish SSH without password on your > > system. :-) > > > I run ssh internally & to my ISP using keys, no passwords, I thought > that was more secure :-/ .... I am not supposed to be allowing > connections from outside my LAN to any of my boxen .... Okay, so the SSH sessions are to be expected and authorized. > > Regarding the address: > > > >> inetnum: 141.41.0.0 - 141.41.255.255 > >> netname: FH-WOLFENBUETTEL > >> descr: Fachhochschule Braunschweig/Wolfenbuettel > > That's probably NTP. The FH Braunschweig is probably in > > relation (IP-wise) with the PTB which is providing a > > "nuclear time" input for NTP. > > > > http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt > > > > You're running ntpd? > > > Yeah, but w/ local server & peers only .... The ntpd and ntpdate need a source to sync, maybe the PTB is involved here? Depending on if you have "sync on start" or "continuous monitoring", connections may appear once or from time to time. > Tried from shell account @ my ISP, it said nmap not found, maybe need > root to run, but that was a nogo .... Maybe not installed? The nmap tool is an additional program, and running it does not require being root, only some tests that nmap can do need to be performed as root, but a normal TCP scan should not require it. > tried from inside, this box & 1 other, I get the following: > > from other machine, FC14 server: > > > [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27 > > Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT > Nmap scan report for JAGUAR (192.168.0.27) > Host is up (0.00018s latency). > Not shown: 995 closed ports > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; > protocol 2.0) Intended. > 111/tcp open rpcbind > 2049/tcp open rpcbind That's for NFS. > 515/tcp open printer BSD lpd (Unauthorized host) > 6000/tcp open X11 (access denied) I don't see FTP open here. This just means you cannot FTP _into_ the machine, but you can FTP _out of_ the machine. Maybe some download that caught your attention? Or a web browser's FTP connection (ftp://...) to, for example, the FreeBSD FTP server? For example, when downloading from: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE with a web browser, I see: # netstat -a | grep ftp tcp4 0 0 r56.46684 ftp.beastie.tdk..58441 ESTABLISHED tcp4 0 0 r56.40750 ftp.beastie.tdk..ftp ESTABLISHED Ha, I think we have it now - this output looks similar to yours. Compare: tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED It seems that you've downloaded something from that machine. This machine _is_ running a FTP server. For example, it seems to host openoffice.org data, as well as Linux stuff. Your nmap output suggests that _you_ are not running a FTP server. Chasing ghosts... ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...