I'm seeing a persistent address showing up on my firewall router logs. The address is 10.98.115.9:67, and is broadcasting to 255.255.255.255. I know that this would typically signal a BOOTP service, such as a bootp server announcing itself on the network. But I can't isolate which machine it is. I have only one machine running, then turn off the standalone wireless router and the switch, but it continues to show up. I ran nmap against it, and it automatically included another, completely different, IP in the scan. It's got me baffled. Here's the output:
Ximian1 FC30-3DA9 # nmap -v -unprivilege - Pn 10.98.115.9
Starting Nmap 6.00 at 2013-04-01 18:03 PDT
Invalid target host specification: -
Initiating Ping Scan at 18:03
Scanning 2 hosts [2 ports/host]
Completed Ping Scan at 18:03, 2.35s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 18:03
Completed Parallel DNS resolution of 2 hosts. at 18:03, 0.04s elapsed
Nmap scan report for 10.98.115.9 [host down]
Initiating Connect Scan at 18:03
Scanning Pn (80.68.93.100) [1000 ports]
Discovered open port 587/tcp on 80.68.93.100
Discovered open port 25/tcp on 80.68.93.100
Discovered open port 110/tcp on 80.68.93.100
Discovered open port 22/tcp on 80.68.93.100
Discovered open port 995/tcp on 80.68.93.100
Discovered open port 53/tcp on 80.68.93.100
Discovered open port 21/tcp on 80.68.93.100
Discovered open port 80/tcp on 80.68.93.100
Completed Connect Scan at 18:04, 16.47s elapsed (1000 total ports)
Nmap scan report for Pn (80.68.93.100)
Host is up (0.17s latency).
rDNS record for 80.68.93.100: tedside.pitcairn.net.pn
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
587/tcp open submission
593/tcp filtered http-rpc-epmap
995/tcp open pop3s
Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (1 host up) scanned in 18.90 seconds
Can anyone shed light on this behavior?
PS. it's not a one-off thing, I ran it several times and every time it did the same.
have you checked a lsof -i
to see which application might be using this address?
Thanks for the suggestion. I ran it but didn't see anything running at that address. Here's the output:
Ximian1 neo # lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 996 root 3u IPv4 9497 0t0 TCP *:ssh (LISTEN)
sshd 996 root 4u IPv6 9499 0t0 TCP *:ssh (LISTEN)
smbd 1024 root 27u IPv6 9589 0t0 TCP *:microsoft-ds (LISTEN)
smbd 1024 root 28u IPv6 9590 0t0 TCP *:netbios-ssn (LISTEN)
smbd 1024 root 29u IPv4 9591 0t0 TCP *:microsoft-ds (LISTEN)
smbd 1024 root 30u IPv4 9592 0t0 TCP *:netbios-ssn (LISTEN)
cupsd 1087 root 10u IPv6 8909 0t0 TCP ip6-localhost:ipp (LISTEN)
cupsd 1087 root 11u IPv4 8910 0t0 TCP localhost:ipp (LISTEN)
avahi-dae 1093 avahi 13u IPv4 9565 0t0 UDP *:mdns
avahi-dae 1093 avahi 14u IPv6 9566 0t0 UDP *:mdns
avahi-dae 1093 avahi 15u IPv4 9567 0t0 UDP *:54012
avahi-dae 1093 avahi 16u IPv6 9568 0t0 UDP *:52840
dhclient 1133 root 6u IPv4 9749 0t0 UDP *:bootpc
dhclient 1133 root 20u IPv4 9729 0t0 UDP *:48744
dhclient 1133 root 21u IPv6 9730 0t0 UDP *:6551
dnsmasq 1166 nobody 4u IPv4 9820 0t0 UDP Ximian1:domain
dnsmasq 1166 nobody 5u IPv4 9821 0t0 TCP Ximian1:domain (LISTEN)
nmbd 1468 root 9u IPv4 9143 0t0 UDP *:netbios-ns
nmbd 1468 root 10u IPv4 9144 0t0 UDP *:netbios-dgm
nmbd 1468 root 11u IPv4 9146 0t0 UDP Ximian1.local:netbios-ns
nmbd 1468 root 12u IPv4 9147 0t0 UDP 10.0.0.255:netbios-ns
nmbd 1468 root 13u IPv4 9148 0t0 UDP Ximian1.local:netbios-dgm
nmbd 1468 root 14u IPv4 9149 0t0 UDP 10.0.0.255:netbios-dgm
ntop 1688 ntop 1u IPv4 10756 0t0 TCP *:3000 (LISTEN)
master 1805 root 12u IPv4 10900 0t0 TCP localhost:smtp (LISTEN)
master 1805 root 13u IPv6 10901 0t0 TCP ip6-localhost:smtp (LISTEN)
miniserv. 2007 root 6u IPv4 11530 0t0 TCP *:9000 (LISTEN)
miniserv. 2007 root 7u IPv4 11531 0t0 UDP *:10000
firefox 7146 neo 108u IPv4 32031929 0t0 TCP Ximian1.local:46317->nuq04s08-in-f25.1e100.net:https (ESTABLISHED)
firefox 7146 neo 129u IPv4 62573 0t0 TCP Ximian1.local:55370->nuq04s07-in-f21.1e100.net:https (ESTABLISHED)
firefox 7146 neo 196u IPv4 32030638 0t0 TCP Ximian1.local:54106->ec2-184-73-124-237.compute-1.amazonaws.com:http (ESTABLISHED)
vsftpd 13225 root 3u IPv4 32237311 0t0 TCP *:ftp (LISTEN)
some service/application must be responsible for the connection. try to stop the services (i would start with smbd/nmbd) one by one and check again...
1 Like