[LUNA] oddball occurence ....
William A. Mahaffey III
wam at hiwaay.net
Mon Sep 1 08:38:25 CDT 2014
.... I have been online for the last hour or so, E-mails, a bit of
browsing, etc. I noticed my DSL modem light was flashing furiously,
indicating traffic. I wasn't doing anything right then, so I poked
around a bit:
[root at kabini1, /etc, 8:27:40am] 461 % netstat
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 jaguar.56481 fly.hiwaay.net.pop3 LAST_ACK
tcp4 0 0 jaguar.12990 141.41.9.9.35089 ESTABLISHED
tcp4 0 0 jaguar.23210 141.41.9.9.ftp ESTABLISHED
tcp4 0 0 jaguar.796 q6600.nfsd CLOSED
tcp4 0 0 jaguar.946 opty165a.nfsd CLOSED
tcp4 0 0 jaguar.609 opty165a.nfsd CLOSED
tcp4 0 0 jaguar.656 cube.nfsd CLOSED
tcp4 0 0 jaguar.64819 cube.ssh ESTABLISHED
tcp4 0 0 jaguar.51061 cube.ssh ESTABLISHED
tcp4 0 0 jaguar.18555 cube.ssh ESTABLISHED
tcp4 0 0 jaguar.59878 q6600.ssh ESTABLISHED
tcp4 0 0 jaguar.42428 q6600.ssh ESTABLISHED
tcp4 0 0 jaguar.55008 q6600.ssh ESTABLISHED
tcp4 0 0 jaguar.34995 q6600.ssh ESTABLISHED
tcp4 0 0 jaguar.24529 q6600.ssh ESTABLISHED
tcp4 0 0 jaguar.18288 q6600.ssh ESTABLISHED
udp4 0 0 localhost.ntp *.*
udp6 0 0 fe80:9::1.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 fe80:1::d250:99f.ntp *.*
udp4 0 0 jaguar.ntp *.*
udp4 0 0 localhost.701 localhost.exp2
udp4 0 0 localhost.760 localhost.exp2
Active UNIX domain sockets
<snip>
[root at kabini1, /etc, 8:30:10am] 462 % ipfw show
00100 13986 1407718 allow ip from any to any via lo0
00200 0 0 deny ip from any to 127.0.0.0/8
00300 0 0 deny ip from 127.0.0.0/8 to any
00400 0 0 deny ip from any to ::1
00500 0 0 deny ip from ::1 to any
00600 0 0 allow ipv6-icmp from :: to ff02::/16
00700 0 0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 2 152 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 0 0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 0 0 allow ipv6-icmp from any to any ip6 icmp6types
2,135,136
01100 0 0 check-state
01200 42560 2786580 allow tcp from me to any established
01300 5405049 5134760747 allow tcp from me to any setup keep-state
01400 93689 7505177 allow udp from me to any keep-state
01500 286 22736 allow icmp from me to any keep-state
01600 0 0 allow ipv6-icmp from me to any keep-state
01700 0 0 allow udp from 0.0.0.0 68 to 255.255.255.255
dst-port 67 out
01800 0 0 allow udp from any 67 to me dst-port 68 in
01900 0 0 allow udp from any 67 to 255.255.255.255
dst-port 68 in
02000 0 0 allow udp from fe80::/10 to me dst-port 546 in
02100 0 0 allow icmp from any to any icmptypes 8
02200 0 0 allow ipv6-icmp from any to any ip6 icmp6types
128,129
02300 1866 104640 allow icmp from any to any icmptypes 3,4,11
02400 0 0 allow ipv6-icmp from any to any ip6 icmp6types 3
02500 68928 93614292 allow tcp from 192.168.0.0/16 to me
65000 8026 1595948 count ip from any to any
65100 7955 1584861 deny { tcp or udp } from any to any dst-port
111,137,138,513 in
65200 0 0 deny { tcp or udp } from 192.168.0.0/16 to me
65300 0 0 deny ip from any to 255.255.255.255
65400 0 0 deny ip from any to 224.0.0.0/24 in
65500 0 0 deny udp from any to any dst-port 520 in
65500 51 9692 deny tcp from any 80,443 to any dst-port
1024-65535 in
65500 20 1395 deny log logamount 5000 ip from any to any
65535 0 0 deny ip from any to any
[root at kabini1, /etc, 8:30:34am] 463 % service ftpd status
Cannot 'status' ftpd. Set ftpd_enable to YES in /etc/rc.conf or use
'onestatus' instead of 'status'.
[root at kabini1, /etc, 8:31:14am] 464 % service ftpd onestatus
ftpd is not running.
[root at kabini1, /etc, 8:31:18am] 465 % service inetd status
Cannot 'status' inetd. Set inetd_enable to YES in /etc/rc.conf or use
'onestatus' instead of 'status'.
[root at kabini1, /etc, 8:31:25am] 466 % service inetd onestatus
inetd is not running.
[root at kabini1, /etc, 8:31:30am] 467 %
i.e. someone apparently FTP-ing .... *something* to or from my computer
?!?!?! I don't think this should be happening (see immediately above)
.... What gives ?!?!?!
whois on that address shows:
[root at kabini1, /etc, 8:17:32am] 529 % whois 141.41.9.9
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#
#
# Query terms are ambiguous. The query is assumed to be:
# "n 141.41.9.9"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=141.41.9.9?showDetails=true&showARIN=false&ext=netref2
#
NetRange: 141.0.0.0 - 141.255.255.255
CIDR: 141.0.0.0/8
OriginAS:
NetName: RIPE-ERX-141
NetHandle: NET-141-0-0-0-0
Parent:
NetType: Early Registrations, Maintained by RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 1993-05-01
Updated: 2009-05-18
Ref: http://whois.arin.net/rest/net/NET-141-0-0-0-0
OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: http://whois.arin.net/rest/org/RIPE
ReferralServer: whois://whois.ripe.net:43
OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse at ripe.net
OrgAbuseRef: http://whois.arin.net/rest/poc/ABUSE3850-ARIN
OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster at ripe.net
OrgTechRef: http://whois.arin.net/rest/poc/RNO29-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the "-B" flag.
% Information related to '141.41.0.0 - 141.41.255.255'
% No abuse contact registered for 141.41.0.0 - 141.41.255.255
inetnum: 141.41.0.0 - 141.41.255.255
netname: FH-WOLFENBUETTEL
descr: Fachhochschule Braunschweig/Wolfenbuettel
descr: Wolfenbuettel
country: DE
admin-c: CK405-RIPE
tech-c: CK405-RIPE
status: LEGACY
remarks: For information on "status:" attribute read
https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: DFN-LIR-MNT
mnt-irt: IRT-DFN-CERT
mnt-routes: DFN-MNT
source: RIPE # Filtered
person: Claudia Keune
address: Ostfalia Hochschule fuer angewandte Wissenschaften
address: Rechenzentrum
address: Salzdahlumer Str. 46/48
address: 38302 Wolfenbuettel
address: Germany
phone: +49 5331 939 19210
fax-no: +49 5331 939 19102
nic-hdl: CK405-RIPE
mnt-by: DFN-NTFY
source: RIPE # Filtered
% Information related to '141.41.0.0/16AS680'
route: 141.41.0.0/16
descr: DFN-FH-WOLF
origin: AS680
mnt-by: DFN-MNT
source: RIPE # Filtered
% This query was served by the RIPE Database Query Service version 1.75
(DB-3)
You have new mail.
[root at kabini1, /etc, 8:28:36am] 530 %
Any help on this matter appreciated !!!! This box is *NOT* a public
server, & I thought it was pretty well locked down :-/ ....
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
More information about the LUNA
mailing list