From owner-freebsd-questions@FreeBSD.ORG Fri Sep 5 18:38:15 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0D221065678 for ; Fri, 5 Sep 2008 18:38:15 +0000 (UTC) (envelope-from peter@boosten.org) Received: from smtpq1.groni1.gr.home.nl (smtpq1.groni1.gr.home.nl [213.51.130.200]) by mx1.freebsd.org (Postfix) with ESMTP id 761BB8FC0A for ; Fri, 5 Sep 2008 18:38:15 +0000 (UTC) (envelope-from peter@boosten.org) Received: from [213.51.130.189] (port=46741 helo=smtp2.groni1.gr.home.nl) by smtpq1.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1KbgCE-00065t-04 for freebsd-questions@freebsd.org; Fri, 05 Sep 2008 20:38:14 +0200 Received: from cp268254-a.landg1.lb.home.nl ([84.25.65.88]:1387 helo=ra.egypt.nl) by smtp2.groni1.gr.home.nl with esmtp (Exim 4.60) (envelope-from ) id 1KbgCD-0003lC-FS for freebsd-questions@freebsd.org; Fri, 05 Sep 2008 20:38:13 +0200 Received: from ramses.egypt.nl (ramses.egypt.nl [192.168.13.8]) by ra.egypt.nl (Postfix) with ESMTP id F3EDA39887 for ; Fri, 5 Sep 2008 20:38:12 +0200 (CEST) Received: from ramses.egypt.nl (localhost [127.0.0.1]) by ramses.egypt.nl (8.14.2/8.14.2) with ESMTP id m85IcC5g023872 for ; Fri, 5 Sep 2008 20:38:12 +0200 (CEST) (envelope-from peter@boosten.org) Received: (from www@localhost) by ramses.egypt.nl (8.14.2/8.14.2/Submit) id m85IcCte023871 for freebsd-questions@freebsd.org; Fri, 5 Sep 2008 20:38:12 +0200 (CEST) (envelope-from peter@boosten.org) Received: from NLBEK31LJCLJZ1J.egypt.nl (NLBEK31LJCLJZ1J.egypt.nl [192.168.13.173]) by www.boosten.org (Horde Framework) with HTTP; Fri, 05 Sep 2008 20:38:12 +0200 Message-ID: <20080905203812.57681dffjf1gfhxc@www.boosten.org> Date: Fri, 05 Sep 2008 20:38:12 +0200 From: "Peter Boosten" To: freebsd-questions@freebsd.org References: <48C1738E.8030206@boosten.org> In-Reply-To: <48C1738E.8030206@boosten.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.2) X-Spam-Score: -0.0 (/) Subject: Re: Strange traffic originating from httpd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Sep 2008 18:38:15 -0000 Quoting "Peter Boosten" : > Hi all, > > Just today I noticed some strange UDP4 traffic from my webserver to an > IP address unknown to me, connecting to port 8000 (UDP). > > Sockstat showed httpd (running as www) as the culprit. > Does anyone know what could cause this? > > I run several websites (Joomla, Wordpress, Coppermine, Nucleus), so > maybe some plugin does this. > [snip] Oke, did some checks and found the following: the UDP connection is initiated once when anyone visits one of the Wordpress sites. A tcpdump shows that the IP address of the visiting client is transmitted to that external site, so probably it's one of the plugins: - Akismet - WP-Shortstat - Wassup - WPsyslog I'm going to ask in the Wordpress groups. Apologies for the polution :-) Peter -- http://www.boosten.org