in3vrr
Posts: 19
Joined: Sat Oct 08, 2016 1:30 pm

RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 10:55 am

Using RPI3 Raspbian Jessie with PIXEL connected to Internet via LAN (ADSL)
Using also fail2ban to protect SSH access....

With iptraf and/or 'netstat -plant' I see:
myRPI:58234 connected to 46.239.124.128:6667 TCP (Student housing networks Sweden)
myRPI:58246 connected to 46.239.124.128:6667 TCP (Student housing networks Sweden)
myRPI:55924 SYN_SENT to 177.102.108.31:6667 TCP (dsl.telesp.net-br)
myRPI:45562 to 78.134.209.194:6667 TCP (dsl.net.metronet.hr)
myRPI:41702 to 78.101.86.213:6667 (QTEL-ADSL-POOL)

And many more connections always with port 6667, and a few bytes of exchange (normally a maximum of 240 bytes with 4 packets from RPI3 and zero bytes from the remote IP).
It therefore seems to be my RPI3 to take the initiative to connect the remote station .... but not sure ...

6667 is IRC port (Internet Relay Chat) !
WIKIPEDIA says: "Internet Relay Chat (IRC) is an application layer protocol that facilitates communication in the form of text. The chat process works on a client/server networking model. IRC clients are computer programs that a user can install on their system. These clients communicate with chat servers to transfer messages to other clients."

I do not understand what's going on ....
Can someone help me ?
Besides fail2ban it is best to install some other protection?
There are other linux commands to better analyze the situation (... for example to identify the app generates the connection) ?
Thank you
Bob

PS:
with netstat -n I see connections unix2 and unix3 STRAM or DGRAM with path @/tmp/..... or /run/..... or /var/.....
What are ?
app unwanted?
should be deleted?
Last edited by in3vrr on Thu Nov 17, 2016 11:16 am, edited 1 time in total.

User avatar
RaTTuS
Posts: 10506
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 11:00 am

did you disable the user pi and or change its password ?
have you forwarded port 22 from your router to the RPi ?
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

in3vrr
Posts: 19
Joined: Sat Oct 08, 2016 1:30 pm

Re: RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 11:28 am

RaTTuS wrote:did you disable the user pi and or change its password ?
have you forwarded port 22 from your router to the RPi ?
Stupidly for a few weeks I have not changed the RPI password (leave the default) !
Yes, in my router I have enabled the port 22 toward RPI3 and I enabled UPNP / CFP why use video surveillance + home alarm + nas .....
Besides fail2ban thought to change port for SSH ....

User avatar
RaTTuS
Posts: 10506
Joined: Tue Nov 29, 2011 11:12 am
Location: North West UK
Contact: Twitter YouTube

Re: RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 11:33 am

flash a new image and start again
How To ask Questions :- http://www.catb.org/esr/faqs/smart-questions.html
WARNING - some parts of this post may be erroneous YMMV

1QC43qbL5FySu2Pi51vGqKqxy3UiJgukSX
Covfefe

Heater
Posts: 13930
Joined: Tue Jul 17, 2012 3:02 pm

Re: RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 11:59 am

Yes, reinstall a new system.

When I put my Pi on the net I see no end of attempts to log in as user Pi pretty quickly. If I did not change user name and or password I would surely have been compromised.

You can not trust what you have on your SD now.
Memory in C++ is a leaky abstraction .

in3vrr
Posts: 19
Joined: Sat Oct 08, 2016 1:30 pm

Re: RPI3 external intrusion ? 6667 port !

Thu Nov 17, 2016 12:58 pm

RaTTuS wrote:flash a new image and start again
Thank you
Yes, I think the only solution to solve the problem.....
Regards
Bob

Return to “Troubleshooting”