Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Sep 2014 13:33:03 -0500
From:      "William A. Mahaffey III" <wam@hiwaay.net>
Cc:        "FreeBSD Questions !!!!" <freebsd-questions@freebsd.org>
Subject:   Re: oddball occurence ....
Message-ID:  <5404BBDF.90804@hiwaay.net>
In-Reply-To: <20140901194431.f2a33b87.freebsd@edvax.de>
References:  <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de>

next in thread | previous in thread | raw e-mail | index | archive | help

On 09/01/14 12:44, Polytropon wrote:
> On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote:
>> i.e. someone apparently FTP-ing .... *something* to or from my computer
>> ?!?!?! I don't think this should be happening (see immediately above)
>> .... What gives ?!?!?!
> >From your output:
>
> tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
> tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED
>
> Those are strange port numbers. Are you downloading something
> from them? But then... ESTABLISHED doesn't mean CONNECTED...
>
> What does "sockstat -l" say?

Too late for that ?

>
> But there are also SSH sessions which could be scp? But that
> would imply that authorized users are using it, because you
> probably don't run publish SSH without password on your
> system. :-)


I run ssh internally & to my ISP using keys, no passwords, I thought 
that was more secure :-/ .... I am not supposed to be allowing 
connections from outside my LAN to any of my boxen ....


>
> Regarding the address:
>
>> inetnum:        141.41.0.0 - 141.41.255.255
>> netname:        FH-WOLFENBUETTEL
>> descr:          Fachhochschule Braunschweig/Wolfenbuettel
> That's probably NTP. The FH Braunschweig is probably in
> relation (IP-wise) with the PTB which is providing a
> "nuclear time" input for NTP.
>
> http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt
>
> You're running ntpd?


Yeah, but w/ local server & peers only ....


>
> The IP 41.41.9.9 is from the FH Braunschweig range, but I
> can't say what particular computer. One in a lab, compromized?
> It's doing TCP connections.
>
>
>
>> Any help on this matter appreciated !!!! This box is *NOT* a public
>> server, & I thought it was pretty well locked down :-/ ....
> First thing: Run nmap on your public IP, just to check that
> your firewall rules are correct. A nice concept is "close
> all ports, only open those you need", and FTP probably is
> one you don't intend to need. If you see open FTP ports,
> adjust your firewall rules. Examining for strange scp
> connections, you can always use tcpdump on your public
> interface to see what's going in and out your machine.
> Wireshark (ex Ethereal) is also a nice tool for that task.

Tried from shell account @ my ISP, it said nmap not found, maybe need 
root to run, but that was a nogo ....

tried from inside, this box & 1 other, I get the following:

from other machine, FC14 server:


[root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27

Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT
Nmap scan report for JAGUAR (192.168.0.27)
Host is up (0.00018s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; 
protocol 2.0)
| ssh-hostkey: 1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA)
|_2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA)
111/tcp  open  rpcbind
| rpcinfo:
| 100000  2,3,4    111/udp  rpcbind
| 100005  1,3      849/udp  mountd
| 300019  1        928/udp  amd
| 100003  2,3     2049/udp  nfs
| 100000  2,3,4    111/tcp  rpcbind
| 100005  1,3      849/tcp  mountd
| 300019  1        907/tcp  amd
| 100003  2,3     2049/tcp  nfs
|_100000  2,3,4    111/7    rpcbind
515/tcp  open  printer BSD lpd (Unauthorized host)
2049/tcp open  rpcbind
6000/tcp open  X11     (access denied)
MAC Address: D0:50:99:13:E3:85 (Unknown)
Device type: general purpose|storage-misc|specialized
Running (JUST GUESSING) : FreeBSD 7.X|8.X|5.X|6.X|5.x (99%), VMware ESX 
Server 3.X|4.X (91%)
Aggressive OS guesses: FreeBSD 7.0-BETA4 - 7.0 (99%), FreeNAS 0.7 
(FreeBSD 7.2-RELEASE) (96%), FreeBSD 7.0-RELEASE-p1 - 8.0-CURRENT (95%), 
FreeBSD 7.1-RELEASE (95%), FreeBSD 7.2-RELEASE (95%), FreeBSD 8.0-BETA2 
- 8.0-RC2 (95%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (95%), FreeBSD 
7.0-RELEASE (95%), FreeBSD 7.0-BETA2 (custom compiled) (94%), FreeBSD 
7.0-CURRENT (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: kabini1; OSs: FreeBSD, Unix

HOP RTT     ADDRESS
1   0.18 ms JAGUAR (192.168.0.27)

OS and Service detection performed. Please report any incorrect results 
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.70 seconds
[root@Q6600:/etc, Mon Sep 01, 01:24 PM] 1013 #


running it on myself:


[root@kabini1, /etc, 1:21:48pm] 527 %  nmap -A -T4 192.168.0.27

Starting Nmap 6.47 ( http://nmap.org ) at 2014-09-01 13:21 CDT
Warning: 192.168.0.27 giving up on port because retransmission cap hit (6).
Nmap scan report for jaguar (192.168.0.27)
Host is up (0.000084s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; 
protocol 2.0)
| ssh-hostkey:
|   1024 d0:27:41:28:d8:4e:28:85:27:04:d5:e2:f7:39:66:07 (DSA)
|   2048 3d:f7:0c:09:a6:03:24:c4:e7:b5:85:d4:59:d7:cc:24 (RSA)
|_  256 8b:24:39:58:3e:85:79:d3:c9:47:da:85:c4:7b:33:50 (ECDSA)
111/tcp  open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/7  rpcbind
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          849/tcp  mountd
|   100005  1,3          849/udp  mountd
|   300019  1            907/tcp  amd
|_  300019  1            928/udp  amd
515/tcp  open  printer BSD lpd (Unauthorized host)
2049/tcp open  nfs     2-3 (RPC #100003)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/7  rpcbind
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3         2049/tcp  nfs
|   100003  2,3         2049/udp  nfs
|   100005  1,3          849/tcp  mountd
|   100005  1,3          849/udp  mountd
|   300019  1            907/tcp  amd
|_  300019  1            928/udp  amd
6000/tcp open  X11     (access denied)
Device type: general purpose
Running: FreeBSD 8.X|9.X
OS CPE: cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:9
OS details: FreeBSD 8.0-BETA2 - 9.1-RELEASE
Network Distance: 0 hops
Service Info: Host: kabini1; OSs: FreeBSD, Unix; CPE: cpe:/o:freebsd:freebsd

OS and Service detection performed. Please report any incorrect results 
at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 88.49 seconds
[root@kabini1, /etc, 1:23:21pm] 528 %





>
>
>
> Sidenote in relation to your signature:
>> 	"The M1 Garand is without doubt the finest implement of war
>> 	 ever devised by man."
>>                              -- Gen. George S. Patton Jr.
> See: "If programming languages were weapons":
>
> http://bjorn.tipling.com/if-programming-languages-were-weapons
>
> You're obviously refering to C. ;-)
>
>

-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5404BBDF.90804>