Hi
Does anyone know what this might be about ? Fedora 23 with a Gnome/KDE/LXDE desktop...
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
I'm not running an FTP application. It's almost as if the desktop is doing this on it's own. Don't know why there is an established connection to 195.154.162.172. Anyone make any suggestions ? If I do whois 195.154.162.172 I get.....
inetnum: 195.154.128.0 - 195.154.255.255 org: ORG-ONLI1-RIPE netname: FR-ILIAD-ENTREPRISES-CUSTOMERS descr: Iliad Entreprises Customers country: FR admin-c: IENT-RIPE tech-c: IENT-RIPE status: LIR-PARTITIONED PA mnt-by: MNT-TISCALIFR-B2B created: 2012-11-02T15:34:28Z last-modified: 2016-02-22T16:27:14Z source: RIPE
organisation: ORG-ONLI1-RIPE abuse-mailbox: abuse@online.net mnt-ref: MNT-TISCALIFR-B2B org-name: ONLINE SAS org-type: OTHER address: 8 rue de la ville l'eveque 75008 PARIS abuse-c: AR32851-RIPE mnt-ref: ONLINESAS-MNT mnt-by: ONLINESAS-MNT created: 2015-07-10T15:20:41Z last-modified: 2016-02-23T16:20:42Z source: RIPE # Filtered
role: Iliad Entreprises Admin and Tech Contact remarks: Iliad Entreprises is an hosting and services provider address: 8, rue de la ville l'eveque address: 75008 Paris address: France phone: +33 1 73 50 20 00 fax-no: +33 1 73 50 29 01 abuse-mailbox: abuse@online.net tech-c: NLI-RIPE nic-hdl: IENT-RIPE mnt-by: ONLINE-NET-MNT created: 2012-10-25T13:21:59Z last-modified: 2016-02-23T11:42:21Z source: RIPE # Filtered
On 03/04/16 19:45, Richard Ibbotson wrote:
Hi
Does anyone know what this might be about ? Fedora 23 with a Gnome/KDE/LXDE desktop...
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
I'm not running an FTP application. It's almost as if the desktop is doing this on it's own. Don't know why there is an established connection to 195.154.162.172. Anyone make any suggestions ? If I do whois 195.154.162.172 I get.....
195.154.162.172 is not running an FTP server on port 21.
[root@meimei ~]# telnet 195.154.162.172 21 Trying 195.154.162.172... Connected to 195.154.162.172. Escape character is '^]'.
Does not return a ftp server login.
You should run...
netstat -nap | grep :60088 to determine what process is connecting.
This should give you a hint as to what is going on.
On Mar 4 20:21, Ed Greshko wrote:
On 03/04/16 19:45, Richard Ibbotson wrote:
Hi
Does anyone know what this might be about ? Fedora 23 with a Gnome/KDE/LXDE desktop...
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
I'm not running an FTP application. It's almost as if the desktop is doing this on it's own. Don't know why there is an established connection to 195.154.162.172. Anyone make any suggestions ? If I do whois 195.154.162.172 I get.....
195.154.162.172 is not running an FTP server on port 21.
[root@meimei ~]# telnet 195.154.162.172 21 Trying 195.154.162.172... Connected to 195.154.162.172. Escape character is '^]'.
Does not return a ftp server login.
You should run...
netstat -nap | grep :60088 to determine what process is connecting.
As root user, otherwise -p will only show the pid of processes you own.
Corinna
On 03/04/2016 03:45 AM, Richard Ibbotson wrote:
Hi
Does anyone know what this might be about ? Fedora 23 with a Gnome/KDE/LXDE desktop...
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
I'm not running an FTP application. It's almost as if the desktop is doing this on it's own. Don't know why there is an established connection to 195.154.162.172. Anyone make any suggestions ? If I do whois 195.154.162.172 I get.....
inetnum: 195.154.128.0 - 195.154.255.255 org: ORG-ONLI1-RIPE netname: FR-ILIAD-ENTREPRISES-CUSTOMERS descr: Iliad Entreprises Customers country: FR admin-c: IENT-RIPE tech-c: IENT-RIPE status: LIR-PARTITIONED PA mnt-by: MNT-TISCALIFR-B2B created: 2012-11-02T15:34:28Z last-modified: 2016-02-22T16:27:14Z source: RIPE
organisation: ORG-ONLI1-RIPE abuse-mailbox: abuse@online.net mnt-ref: MNT-TISCALIFR-B2B org-name: ONLINE SAS org-type: OTHER address: 8 rue de la ville l'eveque 75008 PARIS abuse-c: AR32851-RIPE mnt-ref: ONLINESAS-MNT mnt-by: ONLINESAS-MNT created: 2015-07-10T15:20:41Z last-modified: 2016-02-23T16:20:42Z source: RIPE # Filtered
role: Iliad Entreprises Admin and Tech Contact remarks: Iliad Entreprises is an hosting and services provider address: 8, rue de la ville l'eveque address: 75008 Paris address: France phone: +33 1 73 50 20 00 fax-no: +33 1 73 50 29 01 abuse-mailbox: abuse@online.net tech-c: NLI-RIPE nic-hdl: IENT-RIPE mnt-by: ONLINE-NET-MNT created: 2012-10-25T13:21:59Z last-modified: 2016-02-23T11:42:21Z source: RIPE # Filtered
Try "netstat -lpnt" and see if perhaps xinetd has it opened for listening. If so, make sure you don't have FTP enabled in your various /etc/xinetd.d files. Look for a *ftp* file, check it and ensure you have either "disabled = yes" in it or delete the file entirely and restart xinetd:
sudo systemctl restart xinetd
---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - If this is the first day of the rest of my life... - - I'm in BIG trouble! - ----------------------------------------------------------------------
2016-03-04 13:45 GMT+02:00 Richard Ibbotson richard.ibbotson@gmail.com:
Hi
Does anyone know what this might be about ? Fedora 23 with a Gnome/KDE/LXDE desktop...
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
I'm not running an FTP application. It's almost as if the desktop is doing this on it's own. Don't know why there is an established connection to 195.154.162.172. Anyone make any suggestions ? If I do whois 195.154.162.172 I get.....
inetnum: 195.154.128.0 - 195.154.255.255 org: ORG-ONLI1-RIPE netname: FR-ILIAD-ENTREPRISES-CUSTOMERS descr: Iliad Entreprises Customers country: FR admin-c: IENT-RIPE tech-c: IENT-RIPE status: LIR-PARTITIONED PA mnt-by: MNT-TISCALIFR-B2B created: 2012-11-02T15:34:28Z last-modified: 2016-02-22T16:27:14Z source: RIPE
organisation: ORG-ONLI1-RIPE abuse-mailbox: abuse@online.net mnt-ref: MNT-TISCALIFR-B2B org-name: ONLINE SAS org-type: OTHER address: 8 rue de la ville l'eveque 75008 PARIS abuse-c: AR32851-RIPE mnt-ref: ONLINESAS-MNT mnt-by: ONLINESAS-MNT created: 2015-07-10T15:20:41Z last-modified: 2016-02-23T16:20:42Z source: RIPE # Filtered
role: Iliad Entreprises Admin and Tech Contact remarks: Iliad Entreprises is an hosting and services provider address: 8, rue de la ville l'eveque address: 75008 Paris address: France phone: +33 1 73 50 20 00 fax-no: +33 1 73 50 29 01 abuse-mailbox: abuse@online.net tech-c: NLI-RIPE nic-hdl: IENT-RIPE mnt-by: ONLINE-NET-MNT created: 2012-10-25T13:21:59Z last-modified: 2016-02-23T11:42:21Z source: RIPE # Filtered
-- Richard Sheffield UK
195.154.162.172 is a Tor node.
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Allegedly, on or about 04 March 2016, Richard Ibbotson sent:
netstat -nap | grep :21 shows....
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
netstat -aunt shows...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21 ESTABLISHED
Get even more info from netstat, add the e (extend) and v (verbose) options, as well. And do it as root, you're further limited if you only do it as an ordinary user.
Oh, and just because it's using port 21 doesn't necessarily mean that it's doing FTP, that's just the recognised common use of the port. If you're infiltrated, it could be doing anything. You, most likely, need to be more concerned about what process is using port 60088.
Are you doing *any* kind of peer-to-peer?
On 03/04/2016 11:44 AM, Tim wrote:
Oh, and just because it's using port 21 doesn't necessarily mean that it's doing FTP, that's just the recognised common use of the port. If you're infiltrated, it could be doing anything. You, most likely, need to be more concerned about what process is using port 60088.
It may be a good idea to block both of those ports and see what, if anything, breaks. In fact, if you're not using the box as an ftp server, the port should be blocked anyway. (I sometimes ftp to my desktop from my laptop, but I use ftp over ssh, which uses a different port.)
On Friday 04 March 2016 12:00:55 Joe Zeff wrote:
On 03/04/2016 11:44 AM, Tim wrote:
Oh, and just because it's using port 21 doesn't necessarily mean that it's doing FTP, that's just the recognised common use of the port. If you're infiltrated, it could be doing anything. You, most likely, need to be more concerned about what process is using port 60088.
It may be a good idea to block both of those ports and see what, if anything, breaks. In fact, if you're not using the box as an ftp server, the port should be blocked anyway. (I sometimes ftp to my desktop from my laptop, but I use ftp over ssh, which uses a different port.)
After some more investigation I find that 195.154.162.172:21 starts up after starting a web browser. Kind of sounds like I'm being tracked. I've checked all of the settings. Can't see anything in the browser that relates to the FTP port. I'll have a look at firewall settings. As far as I know port 21 is blocked.
Strange
On 3/4/2016 4:40 PM, Richard Ibbotson wrote:
I'll have a look at firewall settings. As far as I know port 21 is blocked. Strange
Most firewalls are configured to block _incoming_ traffic. Not many default system configurations block _outbound_ traffic and I can't remember a time I ever loaded a version of Fedora whose default firewall configuration does. The data you provided earlier shows you are using an unprivileged local port (60088) to connect to a remote IP address using a reserved port (21). Unless you have specifically blocked all outbound traffic from your system to external FTP servers, this connection will not be blocked.
This is the same kind of situation that occurs every time you connect to a remote web server with a local web browser. Your system uses an unprivileged port locally to connect to the remote IP address and port 80 (or 443 if you're using SSL). Note that the reverse is completely different. Ports 80 and 443 are most certainly blocked by default with respect to remote systems trying to connect to your local web server.
Tom
On 03/04/2016 01:40 PM, Richard Ibbotson wrote:
On Friday 04 March 2016 12:00:55 Joe Zeff wrote:
On 03/04/2016 11:44 AM, Tim wrote:
Oh, and just because it's using port 21 doesn't necessarily mean that it's doing FTP, that's just the recognised common use of the port. If you're infiltrated, it could be doing anything. You, most likely, need to be more concerned about what process is using port 60088.
It may be a good idea to block both of those ports and see what, if anything, breaks. In fact, if you're not using the box as an ftp server, the port should be blocked anyway. (I sometimes ftp to my desktop from my laptop, but I use ftp over ssh, which uses a different port.)
After some more investigation I find that 195.154.162.172:21 starts up after starting a web browser. Kind of sounds like I'm being tracked. I've checked all of the settings. Can't see anything in the browser that relates to the FTP port. I'll have a look at firewall settings. As far as I know port 21 is blocked.
That sure sounds like a plugin in your broswer. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@alldigital.com - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Brain: The organ with which we think that we think. - ----------------------------------------------------------------------
On 03/05/16 05:40, Richard Ibbotson wrote:
On Friday 04 March 2016 12:00:55 Joe Zeff wrote:
On 03/04/2016 11:44 AM, Tim wrote:
Oh, and just because it's using port 21 doesn't necessarily mean that it's doing FTP, that's just the recognised common use of the port. If you're infiltrated, it could be doing anything. You, most likely, need to be more concerned about what process is using port 60088.
It may be a good idea to block both of those ports and see what, if anything, breaks. In fact, if you're not using the box as an ftp server, the port should be blocked anyway. (I sometimes ftp to my desktop from my laptop, but I use ftp over ssh, which uses a different port.)
After some more investigation I find that 195.154.162.172:21 starts up after starting a web browser. Kind of sounds like I'm being tracked. I've checked all of the settings. Can't see anything in the browser that relates to the FTP port. I'll have a look at firewall settings. As far as I know port 21 is blocked.
Strange
Are you saying you have control of 195.154.162.172? That is the system with port 21 open.
You showed...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21
The source port of 192.168.2.10 is 60088 connecting with port 21 on 195.154.162.172.
You could always run "wireshark" or "tcpdump" to examine the traffic between your system and 195.154.162.172.
Ed Greshko wrote:
Strange
Are you saying you have control of 195.154.162.172? That is the system with port 21 open.
You showed...
tcp 0 0 192.168.2.10:60088 195.154.162.172:21
The source port of 192.168.2.10 is 60088 connecting with port 21 on 195.154.162.172.
Switched off some plugins. I think that's done it.
You could always run "wireshark" or "tcpdump" to examine the traffic between your system and 195.154.162.172.
Not used Wireshark for a while. I'll have a go.
Thanks
Allegedly, on or about 04 March 2016, Richard Ibbotson sent:
Switched off some plugins. I think that's done it.
Try re-enabling, one by one, to narrow it down. I think you need to, to ensure that you don't have a compromised system.
It could be something as simple as a plug-in looking for an update for itself. Or one of those filter plug-ins that looks for whitelists and/or blacklists. It could be something as annoying as a plug-in calling home to mummy. It could be something trying to complete a download that didn't quite finish, or did finish but didn't seem to.
As you can see, there's any number of things that could cause that effect, and you really want do know whether it's benign, or not.