From owner-freebsd-questions@FreeBSD.ORG Mon Sep 1 23:31:35 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9E457437 for ; Mon, 1 Sep 2014 23:31:35 +0000 (UTC) Received: from fly.hiwaay.net (fly.hiwaay.net [216.180.54.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 683991054 for ; Mon, 1 Sep 2014 23:31:34 +0000 (UTC) Received: from [192.168.0.27] (rbn1-216-180-19-108.adsl.hiwaay.net [216.180.19.108]) (authenticated bits=0) by fly.hiwaay.net (8.13.8/8.13.8/fly) with ESMTP id s81NVX1G011583 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 1 Sep 2014 18:31:34 -0500 Message-ID: <5405034C.1060804@hiwaay.net> Date: Mon, 01 Sep 2014 18:37:48 -0500 From: "William A. Mahaffey III" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 CC: "FreeBSD Questions !!!!" Subject: Re: oddball occurence .... References: <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de> <5404BBDF.90804@hiwaay.net> <20140901211806.7935e5d5.freebsd@edvax.de> In-Reply-To: <20140901211806.7935e5d5.freebsd@edvax.de> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 23:31:35 -0000 On 09/01/14 14:18, Polytropon wrote: > On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote: >> On 09/01/14 12:44, Polytropon wrote: >>> On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: >>>> i.e. someone apparently FTP-ing .... *something* to or from my computer >>>> ?!?!?! I don't think this should be happening (see immediately above) >>>> .... What gives ?!?!?! >>> >From your output: >>> >>> tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED >>> tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED >>> >>> Those are strange port numbers. Are you downloading something >>> from them? But then... ESTABLISHED doesn't mean CONNECTED... >>> >>> What does "sockstat -l" say? >> Too late for that ? > That's a strange program message. :-) I thought it needed to be done while things were happening .... [root@kabini1, /etc, 6:33:59pm] 531 % sockstat -l USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS root lpd 27062 5 stream /var/run/printer root lpd 27062 6 tcp6 *:515 *:* root lpd 27062 7 tcp4 *:515 *:* wam dbus-daemo 1008 3 stream /tmp/dbus-oew1cXGFD4 wam xfce4-sess 1001 7 stream /tmp/.ICE-unix/1001 root Xorg 985 1 tcp6 *:6000 *:* root Xorg 985 3 tcp4 *:6000 *:* root Xorg 985 4 stream /tmp/.X11-unix/X0 root sendmail 869 3 tcp4 127.0.0.1:25 *:* root sshd 866 3 tcp6 *:22 *:* root sshd 866 4 tcp4 *:22 *:* messagebus dbus-daemo808 3 stream /var/run/dbus/system_bus_socket daemon rwhod 784 3 udp4 *:513 *:* root ntpd 775 20 udp4 *:123 *:* root ntpd 775 21 udp6 *:123 *:* root ntpd 775 22 udp4 192.168.0.27:123 *:* root ntpd 775 23 udp6 fe80:1::d250:99ff:fe13:e385:123 *:* root ntpd 775 24 udp6 ::1:123 *:* root ntpd 775 25 udp6 fe80:9::1:123 *:* root ntpd 775 26 udp4 127.0.0.1:123 *:* root nfsd 737 5 tcp4 *:2049 *:* root nfsd 737 6 tcp6 *:2049 *:* root mountd 735 5 udp6 *:849 *:* root mountd 735 6 tcp6 *:849 *:* root mountd 735 7 udp4 *:849 *:* root mountd 735 8 tcp4 *:849 *:* root amd 687 4 udp4 *:1023 *:* root amd 687 5 udp4 *:1022 *:* root amd 687 6 tcp4 *:907 *:* root amd 687 7 udp4 *:928 *:* root rpcbind 685 4 udp6 *:* *:* root rpcbind 685 5 stream /var/run/rpcbind.sock root rpcbind 685 6 udp6 *:111 *:* root rpcbind 685 7 udp6 *:658 *:* root rpcbind 685 8 tcp6 *:111 *:* root rpcbind 685 9 udp4 *:111 *:* root rpcbind 685 10 udp4 *:743 *:* root rpcbind 685 11 tcp4 *:111 *:* root syslogd 647 4 dgram /var/run/log root syslogd 647 5 dgram /var/run/logpriv root syslogd 647 6 udp6 *:514 *:* root syslogd 647 7 udp4 *:514 *:* root devd 490 4 stream /var/run/devd.pipe ? ? ? ? udp6 *:2049 *:* ? ? ? ? udp4 *:2049 *:* [root@kabini1, /etc, 6:35:06pm] 532 % > > > >>> But there are also SSH sessions which could be scp? But that >>> would imply that authorized users are using it, because you >>> probably don't run publish SSH without password on your >>> system. :-) >> >> I run ssh internally & to my ISP using keys, no passwords, I thought >> that was more secure :-/ .... I am not supposed to be allowing >> connections from outside my LAN to any of my boxen .... > Okay, so the SSH sessions are to be expected and authorized. > > > >>> Regarding the address: >>> >>>> inetnum: 141.41.0.0 - 141.41.255.255 >>>> netname: FH-WOLFENBUETTEL >>>> descr: Fachhochschule Braunschweig/Wolfenbuettel >>> That's probably NTP. The FH Braunschweig is probably in >>> relation (IP-wise) with the PTB which is providing a >>> "nuclear time" input for NTP. >>> >>> http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt >>> >>> You're running ntpd? >> >> Yeah, but w/ local server & peers only .... > The ntpd and ntpdate need a source to sync, maybe the PTB > is involved here? Depending on if you have "sync on start" > or "continuous monitoring", connections may appear once or > from time to time. > > > >> Tried from shell account @ my ISP, it said nmap not found, maybe need >> root to run, but that was a nogo .... > Maybe not installed? The nmap tool is an additional program, > and running it does not require being root, only some tests > that nmap can do need to be performed as root, but a normal > TCP scan should not require it. > > > >> tried from inside, this box & 1 other, I get the following: >> >> from other machine, FC14 server: >> >> >> [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27 >> >> Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT >> Nmap scan report for JAGUAR (192.168.0.27) >> Host is up (0.00018s latency). >> Not shown: 995 closed ports >> PORT STATE SERVICE VERSION >> 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; >> protocol 2.0) > Intended. > > > >> 111/tcp open rpcbind >> 2049/tcp open rpcbind > That's for NFS. > > > >> 515/tcp open printer BSD lpd (Unauthorized host) >> 6000/tcp open X11 (access denied) > I don't see FTP open here. This just means you cannot FTP > _into_ the machine, but you can FTP _out of_ the machine. > Maybe some download that caught your attention? Or a web > browser's FTP connection (ftp://...) to, for example, the > FreeBSD FTP server? > > For example, when downloading from: > > ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE > > with a web browser, I see: > > # netstat -a | grep ftp > tcp4 0 0 r56.46684 ftp.beastie.tdk..58441 ESTABLISHED > tcp4 0 0 r56.40750 ftp.beastie.tdk..ftp ESTABLISHED > > Ha, I think we have it now - this output looks similar to > yours. Compare: > > tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED > tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED > > It seems that you've downloaded something from that machine. > This machine _is_ running a FTP server. For example, it seems > to host openoffice.org data, as well as Linux stuff. > > Your nmap output suggests that _you_ are not running a FTP > server. > > Chasing ghosts... ;-) > > -- William A. Mahaffey III ---------------------------------------------------------------------- "The M1 Garand is without doubt the finest implement of war ever devised by man." -- Gen. George S. Patton Jr.