Date: Mon, 1 Sep 2014 21:18:06 +0200 From: Polytropon <freebsd@edvax.de> To: "William A. Mahaffey III" <wam@hiwaay.net> Cc: FreeBSD Questions !!!! <freebsd-questions@freebsd.org> Subject: Re: oddball occurence .... Message-ID: <20140901211806.7935e5d5.freebsd@edvax.de> In-Reply-To: <5404BBDF.90804@hiwaay.net> References: <540476B5.7080107@hiwaay.net> <20140901194431.f2a33b87.freebsd@edvax.de> <5404BBDF.90804@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 01 Sep 2014 13:33:03 -0500, William A. Mahaffey III wrote: > > On 09/01/14 12:44, Polytropon wrote: > > On Mon, 01 Sep 2014 08:37:57 -0500, William A. Mahaffey III wrote: > >> i.e. someone apparently FTP-ing .... *something* to or from my computer > >> ?!?!?! I don't think this should be happening (see immediately above) > >> .... What gives ?!?!?! > > >From your output: > > > > tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED > > tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED > > > > Those are strange port numbers. Are you downloading something > > from them? But then... ESTABLISHED doesn't mean CONNECTED... > > > > What does "sockstat -l" say? > > Too late for that ? That's a strange program message. :-) > > But there are also SSH sessions which could be scp? But that > > would imply that authorized users are using it, because you > > probably don't run publish SSH without password on your > > system. :-) > > > I run ssh internally & to my ISP using keys, no passwords, I thought > that was more secure :-/ .... I am not supposed to be allowing > connections from outside my LAN to any of my boxen .... Okay, so the SSH sessions are to be expected and authorized. > > Regarding the address: > > > >> inetnum: 141.41.0.0 - 141.41.255.255 > >> netname: FH-WOLFENBUETTEL > >> descr: Fachhochschule Braunschweig/Wolfenbuettel > > That's probably NTP. The FH Braunschweig is probably in > > relation (IP-wise) with the PTB which is providing a > > "nuclear time" input for NTP. > > > > http://en.wikipedia.org/wiki/Physikalisch-Technische_Bundesanstalt > > > > You're running ntpd? > > > Yeah, but w/ local server & peers only .... The ntpd and ntpdate need a source to sync, maybe the PTB is involved here? Depending on if you have "sync on start" or "continuous monitoring", connections may appear once or from time to time. > Tried from shell account @ my ISP, it said nmap not found, maybe need > root to run, but that was a nogo .... Maybe not installed? The nmap tool is an additional program, and running it does not require being root, only some tests that nmap can do need to be performed as root, but a normal TCP scan should not require it. > tried from inside, this box & 1 other, I get the following: > > from other machine, FC14 server: > > > [root@Q6600:/etc, Mon Sep 01, 01:23 PM] 1012 # nmap -A -T4 192.168.0.27 > > Starting Nmap 5.21 ( http://nmap.org ) at 2014-09-01 13:24 CDT > Nmap scan report for JAGUAR (192.168.0.27) > Host is up (0.00018s latency). > Not shown: 995 closed ports > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 6.6.1_hpn13v11 (FreeBSD 20140420; > protocol 2.0) Intended. > 111/tcp open rpcbind > 2049/tcp open rpcbind That's for NFS. > 515/tcp open printer BSD lpd (Unauthorized host) > 6000/tcp open X11 (access denied) I don't see FTP open here. This just means you cannot FTP _into_ the machine, but you can FTP _out of_ the machine. Maybe some download that caught your attention? Or a web browser's FTP connection (ftp://...) to, for example, the FreeBSD FTP server? For example, when downloading from: ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/amd64/10.0-RELEASE with a web browser, I see: # netstat -a | grep ftp tcp4 0 0 r56.46684 ftp.beastie.tdk..58441 ESTABLISHED tcp4 0 0 r56.40750 ftp.beastie.tdk..ftp ESTABLISHED Ha, I think we have it now - this output looks similar to yours. Compare: tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED It seems that you've downloaded something from that machine. This machine _is_ running a FTP server. For example, it seems to host openoffice.org data, as well as Linux stuff. Your nmap output suggests that _you_ are not running a FTP server. Chasing ghosts... ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140901211806.7935e5d5.freebsd>