From owner-freebsd-questions  Fri Jun 28  5:24:26 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4A36D37B405
	for <freebsd-questions@FreeBSD.ORG>; Fri, 28 Jun 2002 05:24:10 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1218543E06
	for <freebsd-questions@FreeBSD.ORG>; Fri, 28 Jun 2002 05:24:03 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g5SCO0tD009568;
	Fri, 28 Jun 2002 13:24:00 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g5SCNsQI009567;
	Fri, 28 Jun 2002 13:23:54 +0100 (BST)
Date: Fri, 28 Jun 2002 13:23:54 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Andy Farkas <andyf@speednet.com.au>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: strange connection attempts
Message-ID: <20020628122354.GA9468@happy-idiot-talk.infracaninophi>
References: <Pine.BSF.4.33.0206281758510.32309-100000@backup.af.speednet.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.33.0206281758510.32309-100000@backup.af.speednet.com.au>
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Jun 28, 2002 at 06:02:00PM +1000, Andy Farkas wrote:
> Anyone have any idea on what could cause spurts of connection attempts to
> the loopback address:
> 
> franky# grep 127.0.0.1 /var/log/all.log | head -3
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4891
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4892
> Jun 28 15:07:30 <kern.info> franky /kernel: Connection attempt to TCP 127.0.0.1:1214 from 127.0.0.1:4893

Something is desperately trying to connect to a program on port 1214.
That's the default port used by KaZaA/Morpheus p2p file sharing
software.  Unluckily for you, it's coming from the localhost.
Luckily, nothing is actually listening.

I'd try running

tcpdump -i lo0 -X port 1214

to see if you can deduce anything from the packet contents.  Also, use

netstat -a
sockstat

to try and find the processes generating the traffic.  Not to be
alarmist, but are you certain of the integrity of your machine?  Time
to warm up the LART and check carefully for unauthorized naughtyness.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
Tel: +44 1628 476614                                  Marlow
Fax: +44 0870 0522645                                 Bucks., SL7 1TH UK

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message