Date: Mon, 1 Sep 2014 19:44:31 +0200 From: Polytropon <freebsd@edvax.de> To: "William A. Mahaffey III" <wam@hiwaay.net> Cc: FreeBSD Questions !!!! <freebsd-questions@freebsd.org> Subject: Re: oddball occurence .... Message-ID: <20140901194431.f2a33b87.freebsd@edvax.de> In-Reply-To: <540476B5.7080107@hiwaay.net> References: <540476B5.7080107@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: > i.e. someone apparently FTP-ing .... *something* to or from my computer > ?!?!?! I don't think this should be happening (see immediately above) > .... What gives ?!?!?! >From your output: tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED Those are strange port numbers. Are you downloading something from them? But then... ESTABLISHED doesn't mean CONNECTED... What does "sockstat -l" say? But there are also SSH sessions which could be scp? But that would imply that authorized users are using it, because you probably don't run publish SSH without password on your system. :-) Regarding the address: > inetnum: 141.41.0.0 - 141.41.255.255 > netname: FH-WOLFENBUETTEL > descr: Fachhochschule Braunschweig/Wolfenbuettel That's probably NTP. The FH Braunschweig is probably in relation (IP-wise) with the PTB which is providing a "nuclear time" input for NTP. http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt You're running ntpd? The IP 41.41.9.9 is from the FH Braunschweig range, but I can't say what particular computer. One in a lab, compromized? It's doing TCP connections. > Any help on this matter appreciated !!!! This box is *NOT* a public > server, & I thought it was pretty well locked down :-/ .... First thing: Run nmap on your public IP, just to check that your firewall rules are correct. A nice concept is "close all ports, only open those you need", and FTP probably is one you don't intend to need. If you see open FTP ports, adjust your firewall rules. Examining for strange scp connections, you can always use tcpdump on your public interface to see what's going in and out your machine. Wireshark (ex Ethereal) is also a nice tool for that task. Sidenote in relation to your signature: > "The M1 Garand is without doubt the finest implement of war > ever devised by man." > -- Gen. George S. Patton Jr. See: "If programming languages were weapons": http://bjorn.tipling.com/if-programming-languages-were-weapons You're obviously refering to C. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140901194431.f2a33b87.freebsd>