I think someting in the code is using, by mistake, the g_tcp_close function for a unix domain socket and that results in a bogus IP "calculation" similar to what is described here:
http://marc.info/?l=secure-shell&m=88561415717174 I did not check where the offending call is. ----- Original Message ----- > From: "Gustavo Homem" <gust...@angulosolido.pt> > To: "Kevin Cave" <ke...@scarygliders.net> > Cc: xrdp-devel@lists.sourceforge.net > Sent: Wednesday, November 6, 2013 5:51:42 PM > Subject: Re: [Xrdp-devel] Curious connection > > Hi, > > I have that too in the logs, every time a xrdp session is > disconnected or closed. Running tcpdump does not show any actual > traffic related to that IP and no open connection is visible using > netstat. > > This message comes from the function g_tcp_close that is used on > several .c files. > > Gustavo > > ----- Original Message ----- > > From: "Kevin Cave" <ke...@scarygliders.net> > > To: xrdp-devel@lists.sourceforge.net > > Sent: Wednesday, November 6, 2013 9:09:26 AM > > Subject: [Xrdp-devel] Curious connection > > > > > > > > A user of my X11rdp-o-Matic build tool asked something on my blog > > as > > follows... > > ====================================================== > > > > > > Hi Kevin, > > > > I am a concerned about the following logs that keep appearing in > > xrdp.log file. An ip of 109.112.47.46 tries to connect to xrdp > > whenever I try to connect. It does not appear to be in any other > > logs, the firewall on the router and server are locked up tight. > > Considering that the NSA has their hands in everything i’m a bit > > suspicious on anything weird showing up in the logs. I have > > searched > > around and could not find an answer. Its been showing up in > > xrdp.log > > since i installed xrdp. It seems to appear only when i xrdp to the > > server. The IP is some ip at Vodaphone Milan Italy. Here’s a > > excerpt > > of the xrdp.log, (My ip address xxx.xxx.xxx.xxx) > > > > [20131105-05:31:58] [INFO ] An established connection closed to > > endpoint: 127.0.0.1:3350 – socket: 11 > > [20131105-05:31:58] [INFO ] The following channel is allowed: > > cliprdr > > (0) > > [20131105-05:31:58] [INFO ] The following channel is allowed: > > rdpsnd > > (1) > > [20131105-05:31:58] [INFO ] This channel is disabled (not in List): > > snddbg > > [20131105-05:31:58] [INFO ] The following channel is not allowed: > > snddbg (2) > > [20131105-05:31:58] [DEBUG] The allow channel list now initialized > > for this session > > [20131105-05:32:22] [INFO ] An established connection closed to > > endpoint: xxx.xxx.xxx.xxx:56981 – socket: 8 > > [20131105-05:32:22] [DEBUG] xrdp_mm_module_cleanup > > [20131105-05:32:22] [INFO ] An established connection closed to > > endpoint: 109.112.47.46:12148 – socket: 12 > > [20131105-05:32:22] [INFO ] An established connection closed to > > endpoint: 109.112.47.46:12148 – socket: 13 > > [20131105-05:32:38] [INFO ] A connection received from: > > xxx.xxx.xxx.xxx port 56982 > > [20131105-05:32:38] [INFO ] An established connection closed to > > endpoint: xxx.xxx.xxx.xxx:56982 – socket: 8 > > [20131105-05:32:38] [INFO ] An established connection closed to > > endpoint: NULL:NULL – socket: 7 > > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request > > received > > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request > > received > > [20131105-05:32:38] [DEBUG] MCS_CJRQ – channel join request > > received > > [20131105-05:32:38] [DEBUG] > > xrdp_000035e6_wm_login_mode_event_00000001 > > [20131105-05:32:38] [WARN ] local keymap file for 0×0409 found and > > dosen’t match built in keymap, using local keymap file > > [20131105-05:32:50] [DEBUG] returnvalue from xrdp_mm_connect 0 > > [20131105-05:32:50] [DEBUG] xrdp_mm_connect_chansrv: chansrvconnect > > successful > > [20131105-05:32:50] [INFO ] An established connection closed to > > endpoint: 127.0.0.1:3350 – socket: 11 > > [20131105-05:32:51] [INFO ] The following channel is allowed: > > cliprdr > > (0) > > [20131105-05:32:51] [INFO ] The following channel is allowed: > > rdpsnd > > (1) > > [20131105-05:32:51] [INFO ] This channel is disabled (not in List): > > snddbg > > [20131105-05:32:51] [INFO ] The following channel is not allowed: > > snddbg (2) > > [20131105-05:32:51] [DEBUG] The allow channel list now initialized > > for this session > > [20131105-06:13:01] [INFO ] An established connection closed to > > endpoint: 109.112.47.46:12148 – socket: 13 > > [20131105-06:13:01] [INFO ] An established connection closed to > > endpoint: xxx.xxx.xxx.xxx:56982 – socket: 8 > > [20131105-06:13:02] [DEBUG] xrdp_mm_module_cleanup > > [20131105-06:13:02] [INFO ] An established connection closed to > > endpoint: 109.112.47.46:12148 – socket: 12 > > [20131105-06:29:06] [INFO ] An established connection closed to > > endpoint: NULL:NULL – socket: 7 > > > > =========================================================================== > > > > > > > > > > A quick search reveals that someone asked here; > > > > http://sourceforge.net/p/xrdp/discussion/389417/thread/e8fb6b34/ > > > > > > > > > > > > And another person also noted this on my blog here; > > > > http://scarygliders.net/2013/07/25/x11rdp-o-matic-version-3-now-released/comment-page-1/#comment-5187 > > > > > > I'm also curious as to where that IP address is coming from, and > > why > > that behaviour? > > > > > > Anyone have any clues? > > > > Regards > > > > Kevin Cave > > > > http://scarygliders.net > > ------------------------------------------------------------------------------ > > November Webinars for C, C++, Fortran Developers > > Accelerate application performance with scalable programming > > models. > > Explore > > techniques for threading, error checking, porting, and tuning. Get > > the most > > from the latest Intel processors and coprocessors. See abstracts > > and > > register > > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > > _______________________________________________ > > xrdp-devel mailing list > > xrdp-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/xrdp-devel > > > > -- > Angulo Sólido - Tecnologias de Informação > http://angulosolido.pt > -- Angulo Sólido - Tecnologias de Informação http://angulosolido.pt ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ xrdp-devel mailing list xrdp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xrdp-devel
