[LUNA] oddball occurence ....

William A. Mahaffey III wam at hiwaay.net
Mon Sep 1 08:38:25 CDT 2014



.... I have been online for the last hour or so, E-mails, a bit of 
browsing, etc. I noticed my DSL modem light was flashing furiously, 
indicating traffic. I wasn't doing anything right then, so I poked 
around a bit:


[root at kabini1, /etc, 8:27:40am] 461 %  netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address          Foreign Address (state)
tcp4       0      0 jaguar.56481           fly.hiwaay.net.pop3 LAST_ACK
tcp4       0      0 jaguar.12990           141.41.9.9.35089 ESTABLISHED
tcp4       0      0 jaguar.23210           141.41.9.9.ftp ESTABLISHED
tcp4       0      0 jaguar.796             q6600.nfsd CLOSED
tcp4       0      0 jaguar.946             opty165a.nfsd CLOSED
tcp4       0      0 jaguar.609             opty165a.nfsd CLOSED
tcp4       0      0 jaguar.656             cube.nfsd CLOSED
tcp4       0      0 jaguar.64819           cube.ssh ESTABLISHED
tcp4       0      0 jaguar.51061           cube.ssh ESTABLISHED
tcp4       0      0 jaguar.18555           cube.ssh ESTABLISHED
tcp4       0      0 jaguar.59878           q6600.ssh ESTABLISHED
tcp4       0      0 jaguar.42428           q6600.ssh ESTABLISHED
tcp4       0      0 jaguar.55008           q6600.ssh ESTABLISHED
tcp4       0      0 jaguar.34995           q6600.ssh ESTABLISHED
tcp4       0      0 jaguar.24529           q6600.ssh ESTABLISHED
tcp4       0      0 jaguar.18288           q6600.ssh ESTABLISHED
udp4       0      0 localhost.ntp          *.*
udp6       0      0 fe80:9::1.ntp          *.*
udp6       0      0 localhost.ntp          *.*
udp6       0      0 fe80:1::d250:99f.ntp   *.*
udp4       0      0 jaguar.ntp             *.*
udp4       0      0 localhost.701          localhost.exp2
udp4       0      0 localhost.760          localhost.exp2
Active UNIX domain sockets

<snip>

[root at kabini1, /etc, 8:30:10am] 462 %  ipfw show
00100   13986    1407718 allow ip from any to any via lo0
00200       0          0 deny ip from any to 127.0.0.0/8
00300       0          0 deny ip from 127.0.0.0/8 to any
00400       0          0 deny ip from any to ::1
00500       0          0 deny ip from ::1 to any
00600       0          0 allow ipv6-icmp from :: to ff02::/16
00700       0          0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800       2        152 allow ipv6-icmp from fe80::/10 to ff02::/16
00900       0          0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000       0          0 allow ipv6-icmp from any to any ip6 icmp6types 
2,135,136
01100       0          0 check-state
01200   42560    2786580 allow tcp from me to any established
01300 5405049 5134760747 allow tcp from me to any setup keep-state
01400   93689    7505177 allow udp from me to any keep-state
01500     286      22736 allow icmp from me to any keep-state
01600       0          0 allow ipv6-icmp from me to any keep-state
01700       0          0 allow udp from 0.0.0.0 68 to 255.255.255.255 
dst-port 67 out
01800       0          0 allow udp from any 67 to me dst-port 68 in
01900       0          0 allow udp from any 67 to 255.255.255.255 
dst-port 68 in
02000       0          0 allow udp from fe80::/10 to me dst-port 546 in
02100       0          0 allow icmp from any to any icmptypes 8
02200       0          0 allow ipv6-icmp from any to any ip6 icmp6types 
128,129
02300    1866     104640 allow icmp from any to any icmptypes 3,4,11
02400       0          0 allow ipv6-icmp from any to any ip6 icmp6types 3
02500   68928   93614292 allow tcp from 192.168.0.0/16 to me
65000    8026    1595948 count ip from any to any
65100    7955    1584861 deny { tcp or udp } from any to any dst-port 
111,137,138,513 in
65200       0          0 deny { tcp or udp } from 192.168.0.0/16 to me
65300       0          0 deny ip from any to 255.255.255.255
65400       0          0 deny ip from any to 224.0.0.0/24 in
65500       0          0 deny udp from any to any dst-port 520 in
65500      51       9692 deny tcp from any 80,443 to any dst-port 
1024-65535 in
65500      20       1395 deny log logamount 5000 ip from any to any
65535       0          0 deny ip from any to any
[root at kabini1, /etc, 8:30:34am] 463 %  service  ftpd  status
Cannot 'status' ftpd. Set ftpd_enable to YES in /etc/rc.conf or use 
'onestatus' instead of 'status'.
[root at kabini1, /etc, 8:31:14am] 464 %  service ftpd onestatus
ftpd is not running.
[root at kabini1, /etc, 8:31:18am] 465 %  service inetd status
Cannot 'status' inetd. Set inetd_enable to YES in /etc/rc.conf or use 
'onestatus' instead of 'status'.
[root at kabini1, /etc, 8:31:25am] 466 %  service inetd onestatus
inetd is not running.
[root at kabini1, /etc, 8:31:30am] 467 %

i.e. someone apparently FTP-ing .... *something* to or from my computer 
?!?!?! I don't think this should be happening (see immediately above) 
.... What gives ?!?!?!


whois on that address shows:


[root at kabini1, /etc, 8:17:32am] 529 %  whois 141.41.9.9

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 141.41.9.9"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# 
http://whois.arin.net/rest/nets;q=141.41.9.9?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       141.0.0.0 - 141.255.255.255
CIDR:           141.0.0.0/8
OriginAS:
NetName:        RIPE-ERX-141
NetHandle:      NET-141-0-0-0-0
Parent:
NetType:        Early Registrations, Maintained by RIPE NCC
Comment:        These addresses have been further assigned to users in
Comment:        the RIPE NCC region.  Contact information can be found in
Comment:        the RIPE database at http://www.ripe.net/whois
RegDate:        1993-05-01
Updated:        2009-05-18
Ref:            http://whois.arin.net/rest/net/NET-141-0-0-0-0

OrgName:        RIPE Network Coordination Centre
OrgId:          RIPE
Address:        P.O. Box 10096
City:           Amsterdam
StateProv:
PostalCode:     1001EB
Country:        NL
RegDate:
Updated:        2013-07-29
Ref:            http://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net:43

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName:   Abuse Contact
OrgAbusePhone:  +31205354444
OrgAbuseEmail:  abuse at ripe.net
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE3850-ARIN

OrgTechHandle: RNO29-ARIN
OrgTechName:   RIPE NCC Operations
OrgTechPhone:  +31 20 535 4444
OrgTechEmail:  hostmaster at ripe.net
OrgTechRef:    http://whois.arin.net/rest/poc/RNO29-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to '141.41.0.0 - 141.41.255.255'

% No abuse contact registered for 141.41.0.0 - 141.41.255.255

inetnum:        141.41.0.0 - 141.41.255.255
netname:        FH-WOLFENBUETTEL
descr:          Fachhochschule Braunschweig/Wolfenbuettel
descr:          Wolfenbuettel
country:        DE
admin-c:        CK405-RIPE
tech-c:         CK405-RIPE
status:         LEGACY
remarks:        For information on "status:" attribute read 
https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by:         RIPE-NCC-HM-PI-MNT
mnt-lower:      RIPE-NCC-HM-PI-MNT
mnt-by:         DFN-LIR-MNT
mnt-irt:        IRT-DFN-CERT
mnt-routes:     DFN-MNT
source:         RIPE # Filtered

person:         Claudia Keune
address:        Ostfalia Hochschule fuer angewandte Wissenschaften
address:        Rechenzentrum
address:        Salzdahlumer Str. 46/48
address:        38302 Wolfenbuettel
address:        Germany
phone:          +49 5331 939 19210
fax-no:         +49 5331 939 19102
nic-hdl:        CK405-RIPE
mnt-by:         DFN-NTFY
source:         RIPE # Filtered

% Information related to '141.41.0.0/16AS680'

route:          141.41.0.0/16
descr:          DFN-FH-WOLF
origin:         AS680
mnt-by:         DFN-MNT
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.75 
(DB-3)


You have new mail.
[root at kabini1, /etc, 8:28:36am] 530 %


Any help on this matter appreciated !!!! This box is *NOT* a public 
server, & I thought it was pretty well locked down :-/ ....




-- 

	William A. Mahaffey III

  ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                            -- Gen. George S. Patton Jr.



More information about the LUNA mailing list