<p dir="ltr">It looks like a distfile/package mirror. Were you running any port installs or upgrades in the background?</p>
<div class="gmail_quote">On Sep 1, 2014 8:32 AM, "William A. Mahaffey III" <<a href="mailto:wam@hiwaay.net">wam@hiwaay.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
.... I have been online for the last hour or so, E-mails, a bit of browsing, etc. I noticed my DSL modem light was flashing furiously, indicating traffic. I wasn't doing anything right then, so I poked around a bit:<br>
<br>
<br>
[root@kabini1, /etc, 8:27:40am] 461 % netstat<br>
Active Internet connections<br>
Proto Recv-Q Send-Q Local Address Foreign Address (state)<br>
tcp4 0 0 jaguar.56481 fly.hiwaay.net.pop3 LAST_ACK<br>
tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED<br>
tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED<br>
tcp4 0 0 jaguar.796 q6600.nfsd CLOSED<br>
tcp4 0 0 jaguar.946 opty165a.nfsd CLOSED<br>
tcp4 0 0 jaguar.609 opty165a.nfsd CLOSED<br>
tcp4 0 0 jaguar.656 cube.nfsd CLOSED<br>
tcp4 0 0 jaguar.64819 cube.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.51061 cube.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.18555 cube.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.59878 q6600.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.42428 q6600.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.55008 q6600.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.34995 q6600.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.24529 q6600.ssh ESTABLISHED<br>
tcp4 0 0 jaguar.18288 q6600.ssh ESTABLISHED<br>
udp4 0 0 localhost.ntp *.*<br>
udp6 0 0 fe80:9::1.ntp *.*<br>
udp6 0 0 localhost.ntp *.*<br>
udp6 0 0 fe80:1::d250:99f.ntp *.*<br>
udp4 0 0 jaguar.ntp *.*<br>
udp4 0 0 localhost.701 localhost.exp2<br>
udp4 0 0 localhost.760 localhost.exp2<br>
Active UNIX domain sockets<br>
<br>
<snip><br>
<br>
[root@kabini1, /etc, 8:30:10am] 462 % ipfw show<br>
00100 13986 1407718 allow ip from any to any via lo0<br>
00200 0 0 deny ip from any to <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a><br>
00300 0 0 deny ip from <a href="http://127.0.0.0/8" target="_blank">127.0.0.0/8</a> to any<br>
00400 0 0 deny ip from any to ::1<br>
00500 0 0 deny ip from ::1 to any<br>
00600 0 0 allow ipv6-icmp from :: to ff02::/16<br>
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10<br>
00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16<br>
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1<br>
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136<br>
01100 0 0 check-state<br>
01200 42560 2786580 allow tcp from me to any established<br>
01300 5405049 <a href="tel:5134760747" value="+15134760747" target="_blank">5134760747</a> allow tcp from me to any setup keep-state<br>
01400 93689 7505177 allow udp from me to any keep-state<br>
01500 286 22736 allow icmp from me to any keep-state<br>
01600 0 0 allow ipv6-icmp from me to any keep-state<br>
01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out<br>
01800 0 0 allow udp from any 67 to me dst-port 68 in<br>
01900 0 0 allow udp from any 67 to 255.255.255.255 dst-port 68 in<br>
02000 0 0 allow udp from fe80::/10 to me dst-port 546 in<br>
02100 0 0 allow icmp from any to any icmptypes 8<br>
02200 0 0 allow ipv6-icmp from any to any ip6 icmp6types 128,129<br>
02300 1866 104640 allow icmp from any to any icmptypes 3,4,11<br>
02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3<br>
02500 68928 93614292 allow tcp from <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> to me<br>
65000 8026 1595948 count ip from any to any<br>
65100 7955 1584861 deny { tcp or udp } from any to any dst-port 111,137,138,513 in<br>
65200 0 0 deny { tcp or udp } from <a href="http://192.168.0.0/16" target="_blank">192.168.0.0/16</a> to me<br>
65300 0 0 deny ip from any to 255.255.255.255<br>
65400 0 0 deny ip from any to <a href="http://224.0.0.0/24" target="_blank">224.0.0.0/24</a> in<br>
65500 0 0 deny udp from any to any dst-port 520 in<br>
65500 51 9692 deny tcp from any 80,443 to any dst-port 1024-65535 in<br>
65500 20 1395 deny log logamount 5000 ip from any to any<br>
65535 0 0 deny ip from any to any<br>
[root@kabini1, /etc, 8:30:34am] 463 % service ftpd status<br>
Cannot 'status' ftpd. Set ftpd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.<br>
[root@kabini1, /etc, 8:31:14am] 464 % service ftpd onestatus<br>
ftpd is not running.<br>
[root@kabini1, /etc, 8:31:18am] 465 % service inetd status<br>
Cannot 'status' inetd. Set inetd_enable to YES in /etc/rc.conf or use 'onestatus' instead of 'status'.<br>
[root@kabini1, /etc, 8:31:25am] 466 % service inetd onestatus<br>
inetd is not running.<br>
[root@kabini1, /etc, 8:31:30am] 467 %<br>
<br>
i.e. someone apparently FTP-ing .... *something* to or from my computer ?!?!?! I don't think this should be happening (see immediately above) .... What gives ?!?!?!<br>
<br>
<br>
whois on that address shows:<br>
<br>
<br>
[root@kabini1, /etc, 8:17:32am] 529 % whois 141.41.9.9<br>
<br>
#<br>
# ARIN WHOIS data and services are subject to the Terms of Use<br>
# available at: <a href="https://www.arin.net/whois_tou.html" target="_blank">https://www.arin.net/whois_<u></u>tou.html</a><br>
#<br>
# If you see inaccuracies in the results, please report at<br>
# <a href="http://www.arin.net/public/whoisinaccuracy/index.xhtml" target="_blank">http://www.arin.net/public/<u></u>whoisinaccuracy/index.xhtml</a><br>
#<br>
<br>
<br>
#<br>
# Query terms are ambiguous. The query is assumed to be:<br>
# "n 141.41.9.9"<br>
#<br>
# Use "?" to get help.<br>
#<br>
<br>
#<br>
# The following results may also be obtained via:<br>
# <a href="http://whois.arin.net/rest/nets;q=141.41.9.9?showDetails=true&showARIN=false&ext=netref2" target="_blank">http://whois.arin.net/rest/<u></u>nets;q=141.41.9.9?showDetails=<u></u>true&showARIN=false&ext=<u></u>netref2</a><br>
#<br>
<br>
NetRange: 141.0.0.0 - 141.255.255.255<br>
CIDR: <a href="http://141.0.0.0/8" target="_blank">141.0.0.0/8</a><br>
OriginAS:<br>
NetName: RIPE-ERX-141<br>
NetHandle: NET-141-0-0-0-0<br>
Parent:<br>
NetType: Early Registrations, Maintained by RIPE NCC<br>
Comment: These addresses have been further assigned to users in<br>
Comment: the RIPE NCC region. Contact information can be found in<br>
Comment: the RIPE database at <a href="http://www.ripe.net/whois" target="_blank">http://www.ripe.net/whois</a><br>
RegDate: 1993-05-01<br>
Updated: 2009-05-18<br>
Ref: <a href="http://whois.arin.net/rest/net/NET-141-0-0-0-0" target="_blank">http://whois.arin.net/rest/<u></u>net/NET-141-0-0-0-0</a><br>
<br>
OrgName: RIPE Network Coordination Centre<br>
OrgId: RIPE<br>
Address: P.O. Box 10096<br>
City: Amsterdam<br>
StateProv:<br>
PostalCode: 1001EB<br>
Country: NL<br>
RegDate:<br>
Updated: 2013-07-29<br>
Ref: <a href="http://whois.arin.net/rest/org/RIPE" target="_blank">http://whois.arin.net/rest/<u></u>org/RIPE</a><br>
<br>
ReferralServer: whois://<a href="http://whois.ripe.net:43" target="_blank">whois.ripe.net:43</a><br>
<br>
OrgAbuseHandle: ABUSE3850-ARIN<br>
OrgAbuseName: Abuse Contact<br>
OrgAbusePhone: <a href="tel:%2B31205354444" value="+31205354444" target="_blank">+31205354444</a><br>
OrgAbuseEmail: <a href="mailto:abuse@ripe.net" target="_blank">abuse@ripe.net</a><br>
OrgAbuseRef: <a href="http://whois.arin.net/rest/poc/ABUSE3850-ARIN" target="_blank">http://whois.arin.net/rest/<u></u>poc/ABUSE3850-ARIN</a><br>
<br>
OrgTechHandle: RNO29-ARIN<br>
OrgTechName: RIPE NCC Operations<br>
OrgTechPhone: <a href="tel:%2B31%2020%20535%204444" value="+31205354444" target="_blank">+31 20 535 4444</a><br>
OrgTechEmail: <a href="mailto:hostmaster@ripe.net" target="_blank">hostmaster@ripe.net</a><br>
OrgTechRef: <a href="http://whois.arin.net/rest/poc/RNO29-ARIN" target="_blank">http://whois.arin.net/rest/<u></u>poc/RNO29-ARIN</a><br>
<br>
<br>
#<br>
# ARIN WHOIS data and services are subject to the Terms of Use<br>
# available at: <a href="https://www.arin.net/whois_tou.html" target="_blank">https://www.arin.net/whois_<u></u>tou.html</a><br>
#<br>
# If you see inaccuracies in the results, please report at<br>
# <a href="http://www.arin.net/public/whoisinaccuracy/index.xhtml" target="_blank">http://www.arin.net/public/<u></u>whoisinaccuracy/index.xhtml</a><br>
#<br>
<br>
% This is the RIPE Database query service.<br>
% The objects are in RPSL format.<br>
%<br>
% The RIPE Database is subject to Terms and Conditions.<br>
% See <a href="http://www.ripe.net/db/support/db-terms-conditions.pdf" target="_blank">http://www.ripe.net/db/<u></u>support/db-terms-conditions.<u></u>pdf</a><br>
<br>
% Note: this output has been filtered.<br>
% To receive output for a database update, use the "-B" flag.<br>
<br>
% Information related to '141.41.0.0 - 141.41.255.255'<br>
<br>
% No abuse contact registered for 141.41.0.0 - 141.41.255.255<br>
<br>
inetnum: 141.41.0.0 - 141.41.255.255<br>
netname: FH-WOLFENBUETTEL<br>
descr: Fachhochschule Braunschweig/Wolfenbuettel<br>
descr: Wolfenbuettel<br>
country: DE<br>
admin-c: CK405-RIPE<br>
tech-c: CK405-RIPE<br>
status: LEGACY<br>
remarks: For information on "status:" attribute read <a href="https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources" target="_blank">https://www.ripe.net/data-<u></u>tools/db/faq/faq-status-<u></u>values-legacy-resources</a><br>
mnt-by: RIPE-NCC-HM-PI-MNT<br>
mnt-lower: RIPE-NCC-HM-PI-MNT<br>
mnt-by: DFN-LIR-MNT<br>
mnt-irt: IRT-DFN-CERT<br>
mnt-routes: DFN-MNT<br>
source: RIPE # Filtered<br>
<br>
person: Claudia Keune<br>
address: Ostfalia Hochschule fuer angewandte Wissenschaften<br>
address: Rechenzentrum<br>
address: Salzdahlumer Str. 46/48<br>
address: 38302 Wolfenbuettel<br>
address: Germany<br>
phone: <a href="tel:%2B49%205331%20939%2019210" value="+49533193919210" target="_blank">+49 5331 939 19210</a><br>
fax-no: <a href="tel:%2B49%205331%20939%2019102" value="+49533193919102" target="_blank">+49 5331 939 19102</a><br>
nic-hdl: CK405-RIPE<br>
mnt-by: DFN-NTFY<br>
source: RIPE # Filtered<br>
<br>
% Information related to '<a href="http://141.41.0.0/16AS680" target="_blank">141.41.0.0/16AS680</a>'<br>
<br>
route: <a href="http://141.41.0.0/16" target="_blank">141.41.0.0/16</a><br>
descr: DFN-FH-WOLF<br>
origin: AS680<br>
mnt-by: DFN-MNT<br>
source: RIPE # Filtered<br>
<br>
% This query was served by the RIPE Database Query Service version 1.75 (DB-3)<br>
<br>
<br>
You have new mail.<br>
[root@kabini1, /etc, 8:28:36am] 530 %<br>
<br>
<br>
Any help on this matter appreciated !!!! This box is *NOT* a public server, & I thought it was pretty well locked down :-/ ....<br>
<br>
<br>
<br>
<br>
-- <br>
<br>
William A. Mahaffey III<br>
<br>
------------------------------<u></u>------------------------------<u></u>----------<br>
<br>
"The M1 Garand is without doubt the finest implement of war<br>
ever devised by man."<br>
-- Gen. George S. Patton Jr.<br>
<br>
______________________________<u></u>_________________<br>
LUNA mailing list<br>
<a href="mailto:LUNA@lunagroup.us" target="_blank">LUNA@lunagroup.us</a><br>
<a href="http://lunagroup.us/mailman/listinfo/luna" target="_blank">http://lunagroup.us/mailman/<u></u>listinfo/luna</a><br>
</blockquote></div>