Date: Fri, 28 Jun 2002 13:23:54 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Andy Farkas <andyf@speednet.com.au> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: strange connection attempts Message-ID: <20020628122354.GA9468@happy-idiot-talk.infracaninophi> In-Reply-To: <Pine.BSF.4.33.0206281758510.32309-100000@backup.af.speednet.com.au> References: <Pine.BSF.4.33.0206281758510.32309-100000@backup.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 28, 2002 at 06:02:00PM +1000, Andy Farkas wrote:
> Anyone have any idea on what could cause spurts of connection attempts to
> the loopback address:
>
> franky# grep 127.0.0.1 /var/log/all.log | head -3
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4891
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4892
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4893
Something is desperately trying to connect to a program on port 1214.
That's the default port used by KaZaA/Morpheus p2p file sharing
software. Unluckily for you, it's coming from the localhost.
Luckily, nothing is actually listening.
I'd try running
tcpdump -i lo0 -X port 1214
to see if you can deduce anything from the packet contents. Also, use
netstat -a
sockstat
to try and find the processes generating the traffic. Not to be
alarmist, but are you certain of the integrity of your machine? Time
to warm up the LART and check carefully for unauthorized naughtyness.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
Tel: +44 1628 476614 Marlow
Fax: +44 0870 0522645 Bucks., SL7 1TH UK
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020628122354.GA9468>