Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 01 Sep 2014 18:37:48 -0500
From:      "William A. Mahaffey III" <wam@hiwaay.net>
Cc:        "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org>
Subject:   Re: oddball occurence ....
Message-ID:  <5405034C.1060804@hiwaay.net>
In-Reply-To: <20140901211806.7935e5d5.freebsd@edvax.de>
References:  <540476B5.7080107@hiwaay.net>	<20140901194431.f2a33b87.freebsd@edvax.de>	<5404BBDF.90804@hiwaay.net> <20140901211806.7935e5d5.freebsd@edvax.de>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 09/01/14 14:18, Polytropon wrote:
> On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote:
>> On 09/01/14 12:44, Polytropon wrote:
>>> On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
>>>> i.e. someone apparently FTP-ing .... *something* to or from my computer
>>>> ?!?!?! I don't think this should be happening (see immediately above)
>>>> .... What gives ?!?!?!
>>> >From your output:
>>>
>>> tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
>>> tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED
>>>
>>> Those are strange port numbers. Are you downloading something
>>> from them? But then... ESTABLISHED doesn't mean CONNECTED...
>>>
>>> What does "sockstat -l" say?
>> Too late for that ?
> That's a strange program message. :-)

I thought it needed to be done while things were happening ....


[root@kabini1, /etc, 6:33:59pm] 531 %  sockstat -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     lpd        27062 5  stream /var/run/printer
root     lpd        27062 6  tcp6   *:515                 *:*
root     lpd        27062 7  tcp4   *:515                 *:*
wam      dbus-daemo 1008  3  stream /tmp/dbus-oew1cXGFD4
wam      xfce4-sess 1001  7  stream /tmp/.ICE-unix/1001
root     Xorg       985   1  tcp6   *:6000                *:*
root     Xorg       985   3  tcp4   *:6000                *:*
root     Xorg       985   4  stream /tmp/.X11-unix/X0
root     sendmail   869   3  tcp4   127.0.0.1:25          *:*
root     sshd       866   3  tcp6   *:22                  *:*
root     sshd       866   4  tcp4   *:22                  *:*
messagebus dbus-daemo808  3  stream /var/run/dbus/system_bus_socket
daemon   rwhod      784   3  udp4   *:513                 *:*
root     ntpd       775   20 udp4   *:123                 *:*
root     ntpd       775   21 udp6   *:123                 *:*
root     ntpd       775   22 udp4   192.168.0.27:123      *:*
root     ntpd       775   23 udp6   fe80:1::d250:99ff:fe13:e385:123 *:*
root     ntpd       775   24 udp6   ::1:123               *:*
root     ntpd       775   25 udp6   fe80:9::1:123         *:*
root     ntpd       775   26 udp4   127.0.0.1:123         *:*
root     nfsd       737   5  tcp4   *:2049                *:*
root     nfsd       737   6  tcp6   *:2049                *:*
root     mountd     735   5  udp6   *:849                 *:*
root     mountd     735   6  tcp6   *:849                 *:*
root     mountd     735   7  udp4   *:849                 *:*
root     mountd     735   8  tcp4   *:849                 *:*
root     amd        687   4  udp4   *:1023                *:*
root     amd        687   5  udp4   *:1022                *:*
root     amd        687   6  tcp4   *:907                 *:*
root     amd        687   7  udp4   *:928                 *:*
root     rpcbind    685   4  udp6   *:*                   *:*
root     rpcbind    685   5  stream /var/run/rpcbind.sock
root     rpcbind    685   6  udp6   *:111                 *:*
root     rpcbind    685   7  udp6   *:658                 *:*
root     rpcbind    685   8  tcp6   *:111                 *:*
root     rpcbind    685   9  udp4   *:111                 *:*
root     rpcbind    685   10 udp4   *:743                 *:*
root     rpcbind    685   11 tcp4   *:111                 *:*
root     syslogd    647   4  dgram  /var/run/log
root     syslogd    647   5  dgram  /var/run/logpriv
root     syslogd    647   6  udp6   *:514                 *:*
root     syslogd    647   7  udp4   *:514                 *:*
root     devd       490   4  stream /var/run/devd.pipe
?        ?          ?     ?  udp6   *:2049                *:*
?        ?          ?     ?  udp4   *:2049                *:*
[root@kabini1, /etc, 6:35:06pm] 532 %



>
>
>
>>> But there are also SSH sessions which could be scp? But that
>>> would imply that authorized users are using it, because you
>>> probably don't run publish SSH without password on your
>>> system. :-)
>>
>> I run ssh internally & to my ISP using keys, no passwords, I thought
>> that was more secure :-/ .... I am not supposed to be allowing
>> connections from outside my LAN to any of my boxen ....
> Okay, so the SSH sessions are to be expected and authorized.
>
>
>
>>> Regarding the address:
>>>
>>>> inetnum:        141.41.0.0 - 141.41.255.255
>>>> netname:        FH-WOLFENBUETTEL
>>>> descr:          Fachhochschule Braunschweig/Wolfenbuettel
>>> That's probably NTP. The FH Braunschweig is probably in
>>> relation (IP-wise) with the PTB which is providing a
>>> "nuclear time" input for NTP.
>>>
>>> http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
>>>
>>> You're running ntpd?
>>
>> Yeah, but w/ local server & peers only ....
> The ntpd and ntpdate need a source to sync, maybe the PTB
> is involved here? Depending on if you have "sync on start"
> or "continuous monitoring", connections may appear once or
> from time to time.
>
>
>
>> Tried from shell account @ my ISP, it said nmap not found, maybe need
>> root to run, but that was a nogo ....
> Maybe not installed? The nmap tool is an additional program,
> and running it does not require being root, only some tests
> that nmap can do need to be performed as root, but a normal
> TCP scan should not require it.
>
>
>
>> tried from inside, this box & 1 other, I get the following:
>>
>> from other machine, FC14 server:
>>
>>
>> [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27
>>
>> Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
>> Nmap scan report for JAGUAR (192.168.0.27)
>> Host is up (0.00018s latency).
>> Not shown: 995 closed ports
>> PORT     STATE SERVICE VERSION
>> 22/tcp   open  ssh     OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420;
>> protocol 2.0)
> Intended.
>
>
>
>> 111/tcp  open  rpcbind
>> 2049/tcp open  rpcbind
> That's for NFS.
>
>
>
>> 515/tcp  open  printer BSD lpd (Unauthorized host)
>> 6000/tcp open  X11     (access denied)
> I don't see FTP open here. This just means you cannot FTP
> _into_ the machine, but you can FTP _out of_ the machine.
> Maybe some download that caught your attention? Or a web
> browser's FTP connection (ftp://...) to, for example, the
> FreeBSD FTP server?
>
> For example, when downloading from:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE
>
> with a web browser, I see:
>
> # netstat -a | grep ftp
> tcp4       0      0 r56.46684              ftp.beastie.tdk..58441 ESTABLISHED
> tcp4       0      0 r56.40750              ftp.beastie.tdk..ftp   ESTABLISHED
>
> Ha, I think we have it now - this output looks similar to
> yours. Compare:
>
> tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
> tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED
>
> It seems that you've downloaded something from that machine.
> This machine _is_ running a FTP server. For example, it seems
> to host openoffice.org data, as well as Linux stuff.
>
> Your nmap output suggests that _you_ are not running a FTP
> server.
>
> Chasing ghosts... ;-)
>
>

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5405034C.1060804>