From owner-freebsd-questions@FreeBSD.ORG Mon Sep 1 17:44:41 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6EB36678 for ; Mon, 1 Sep 2014 17:44:41 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 313B5198D for ; Mon, 1 Sep 2014 17:44:40 +0000 (UTC) Received: from r56.edvax.de (port-92-195-111-1.dynamic.qsc.de [92.195.111.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id D2CB827665; Mon, 1 Sep 2014 19:44:31 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id s81HiVdC002395; Mon, 1 Sep 2014 19:44:31 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 1 Sep 2014 19:44:31 +0200 From: Polytropon To: "William A. Mahaffey III" Subject: Re: oddball occurence .... Message-Id: <20140901194431.f2a33b87.freebsd@edvax.de> In-Reply-To: <540476B5.7080107@hiwaay.net> References: <540476B5.7080107@hiwaay.net> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FreeBSD Questions !!!! X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Sep 2014 17:44:41 -0000 On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: > i.e. someone apparently FTP-ing .... *something* to or from my computer > ?!?!?! I don't think this should be happening (see immediately above) > .... What gives ?!?!?! >From your output: tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED Those are strange port numbers. Are you downloading something from them? But then... ESTABLISHED doesn't mean CONNECTED... What does "sockstat -l" say? But there are also SSH sessions which could be scp? But that would imply that authorized users are using it, because you probably don't run publish SSH without password on your system. :-) Regarding the address: > inetnum: 141.41.0.0 - 141.41.255.255 > netname: FH-WOLFENBUETTEL > descr: Fachhochschule Braunschweig/Wolfenbuettel That's probably NTP. The FH Braunschweig is probably in relation (IP-wise) with the PTB which is providing a "nuclear time" input for NTP. http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt You're running ntpd? The IP 41.41.9.9 is from the FH Braunschweig range, but I can't say what particular computer. One in a lab, compromized? It's doing TCP connections. > Any help on this matter appreciated !!!! This box is *NOT* a public > server, & I thought it was pretty well locked down :-/ .... First thing: Run nmap on your public IP, just to check that your firewall rules are correct. A nice concept is "close all ports, only open those you need", and FTP probably is one you don't intend to need. If you see open FTP ports, adjust your firewall rules. Examining for strange scp connections, you can always use tcpdump on your public interface to see what's going in and out your machine. Wireshark (ex Ethereal) is also a nice tool for that task. Sidenote in relation to your signature: > "The M1 Garand is without doubt the finest implement of war > ever devised by man." > -- Gen. George S. Patton Jr. See: "If programming languages were weapons": http://bjorn.tipling.com/if-programming-languages-were-weapons You're obviously refering to C. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...