Hi, I have that too in the logs, every time a xrdp session is disconnected or closed. Running tcpdump does not show any actual traffic related to that IP and no open connection is visible using netstat.
This message comes from the function g_tcp_close that is used on several .c files. Gustavo ----- Original Message ----- > From: "Kevin Cave" <ke...@scarygliders.net> > To: xrdp-devel@lists.sourceforge.net > Sent: Wednesday, November 6, 2013 9:09:26 AM > Subject: [Xrdp-devel] Curious connection > > > > A user of my X11rdp-o-Matic build tool asked something on my blog as > follows... > ====================================================== > > > Hi Kevin, > > I am a concerned about the following logs that keep appearing in > xrdp.log file. An ip of 109.112.47.46 tries to connect to xrdp > whenever I try to connect. It does not appear to be in any other > logs, the firewall on the router and server are locked up tight. > Considering that the NSA has their hands in everything i’m a bit > suspicious on anything weird showing up in the logs. I have searched > around and could not find an answer. Its been showing up in xrdp.log > since i installed xrdp. It seems to appear only when i xrdp to the > server. The IP is some ip at Vodaphone Milan Italy. Here’s a excerpt > of the xrdp.log, (My ip address xxx.xxx.xxx.xxx) > > [20131105-05:31:58] [INFO ] An established connection closed to > endpoint: 127.0.0.1:3350 – socket: 11 > [20131105-05:31:58] [INFO ] The following channel is allowed: cliprdr > (0) > [20131105-05:31:58] [INFO ] The following channel is allowed: rdpsnd > (1) > [20131105-05:31:58] [INFO ] This channel is disabled (not in List): > snddbg > [20131105-05:31:58] [INFO ] The following channel is not allowed: > snddbg (2) > [20131105-05:31:58] [DEBUG] The allow channel list now initialized > for this session > [20131105-05:32:22] [INFO ] An established connection closed to > endpoint: xxx.xxx.xxx.xxx:56981 – socket: 8 > [20131105-05:32:22] [DEBUG] xrdp_mm_module_cleanup > [20131105-05:32:22] [INFO ] An established connection closed to > endpoint: 109.112.47.46:12148 – socket: 12 > [20131105-05:32:22] [INFO ] An established connection closed to > endpoint: 109.112.47.46:12148 – socket: 13 > [20131105-05:32:38] [INFO ] A connection received from: > xxx.xxx.xxx.xxx port 56982 > [20131105-05:32:38] [INFO ] An established connection closed to > endpoint: xxx.xxx.xxx.xxx:56982 – socket: 8 > [20131105-05:32:38] [INFO ] An established connection closed to > endpoint: NULL:NULL – socket: 7 > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request received > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request received > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request received > [20131105-05:32:38] [DEBUG] > xrdp_000035e6_wm_login_mode_event_00000001 > [20131105-05:32:38] [WARN ] local keymap file for 0×0409 found and > dosen’t match built in keymap, using local keymap file > [20131105-05:32:50] [DEBUG] returnvalue from xrdp_mm_connect 0 > [20131105-05:32:50] [DEBUG] xrdp_mm_connect_chansrv: chansrvconnect > successful > [20131105-05:32:50] [INFO ] An established connection closed to > endpoint: 127.0.0.1:3350 – socket: 11 > [20131105-05:32:51] [INFO ] The following channel is allowed: cliprdr > (0) > [20131105-05:32:51] [INFO ] The following channel is allowed: rdpsnd > (1) > [20131105-05:32:51] [INFO ] This channel is disabled (not in List): > snddbg > [20131105-05:32:51] [INFO ] The following channel is not allowed: > snddbg (2) > [20131105-05:32:51] [DEBUG] The allow channel list now initialized > for this session > [20131105-06:13:01] [INFO ] An established connection closed to > endpoint: 109.112.47.46:12148 – socket: 13 > [20131105-06:13:01] [INFO ] An established connection closed to > endpoint: xxx.xxx.xxx.xxx:56982 – socket: 8 > [20131105-06:13:02] [DEBUG] xrdp_mm_module_cleanup > [20131105-06:13:02] [INFO ] An established connection closed to > endpoint: 109.112.47.46:12148 – socket: 12 > [20131105-06:29:06] [INFO ] An established connection closed to > endpoint: NULL:NULL – socket: 7 > > =========================================================================== > > > > > A quick search reveals that someone asked here; > > http://sourceforge.net/p/xrdp/discussion/389417/thread/e8fb6b34/ > > > > > > And another person also noted this on my blog here; > > http://scarygliders.net/2013/07/25/x11rdp-o-matic-version-3-now-released/comment-page-1/#comment-5187 > > > I'm also curious as to where that IP address is coming from, and why > that behaviour? > > > Anyone have any clues? > > Regards > > Kevin Cave > > http://scarygliders.net > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. > Explore > techniques for threading, error checking, porting, and tuning. Get > the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > xrdp-devel mailing list > xrdp-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xrdp-devel > -- Angulo Sólido - Tecnologias de Informação http://angulosolido.pt ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ xrdp-devel mailing list xrdp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xrdp-devel
