[fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???

From: InHisGrip (servie_platon_at_yahoo.com)
Date: 07/22/04

  • Next message: J. Oquendo: "Re: [fw-wiz] iso 17799" 
    To: firewall-wizards <firewall-wizards@honor.icsalabs.com>
Date: Wed, 21 Jul 2004 16:52:51 -0700 (PDT)

    Hi everyone,

    I have setup an apache web server in my small home
    network and have configured this web server by
    enabling port forwarding for web requests and
    redirection using a non standard port other than port
    80. I have also used my dns registrar/provider in
    particular dyndns.org to do the job of custom dns and
    redirecting web traffic on my host
    machine.

    My question is related to security/firewall and in
    particular with linux ports being compromised. Based
    from the information below, can anyone please let me
    know if the information I have attached based on open
    ports or listening ports on the output will somehow
    compromise my small home network or the linux web
    server box I have just set up?

    Oh, by the way, just wanted to make sure because I
    have placed the web server in a DMZ port and zone
    from my linksys router and I think but not sure that
    I am being shielded and protected atleast? Likewise, I
    have enabled advanced firewall protection on my
    linksys router. Am I just paranoid, or is there
    something to get alarmed especially on port 37628
    which has a LISTEN state on all interfaces or on the
    Internet?

    Here is a copy of my netstat -an output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign
    Address State
    tcp 0 0 0.0.0.0:32768 0.0.0.0:*
                 LISTEN
    tcp 0 0 127.0.0.1:32769 0.0.0.0:*
                 LISTEN
    tcp 0 0 127.0.0.1:783 0.0.0.0:*
                 LISTEN
    tcp 0 0 0.0.0.0:111 0.0.0.0:*
                 LISTEN
    tcp 0 0 0.0.0.0:22 0.0.0.0:*
                 LISTEN
    tcp 0 0 127.0.0.1:25 0.0.0.0:*
                 LISTEN
    tcp 0 0 0.0.0.0:8090 0.0.0.0:*
                 LISTEN
    tcp 0 0 0.0.0.0:443 0.0.0.0:*
                 LISTEN
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4061 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4060 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4063 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4059 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4073 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4072 TIME_WAIT
    tcp 0 0 192.168.1.77:8090
    203.218.54.165:4074 TIME_WAIT
    udp 0 0 0.0.0.0:32768 0.0.0.0:*
                             
    udp 0 0 0.0.0.0:750 0.0.0.0:*
                             
    udp 0 0 0.0.0.0:111 0.0.0.0:*
                             
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags Type State
    I-Node Path
    unix 10 [ ] DGRAM 900
      /dev/log
    unix 2 [ ] DGRAM 1464
      
    unix 2 [ ] DGRAM 1402
      
    unix 2 [ ] DGRAM 1384
      
    unix 2 [ ] DGRAM 1370
      
    unix 2 [ ] DGRAM 1324
      
    unix 2 [ ] DGRAM 1050
      
    unix 2 [ ] DGRAM 966
      
    unix 2 [ ] DGRAM 908
      

    I am asking this question because the URL below
    mentioned about a trojan on his system and this could
    also be happening to mine. Is this a security threat
    both on UDP and TCP ports 32768 among others?

    http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641

    Any tips or thoughts on how to eliminate this threat
    would be highly appreciated. Thanks in advance.

    Regards,
    Servie

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail - 50x more storage than other providers!
    http://promotions.yahoo.com/new_mail
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: J. Oquendo: "Re: [fw-wiz] iso 17799"

    Relevant Pages

    • Re: oops again
      ... > When you want expose the web server on the local network to the internet, ... > to the internal IP of your web server. ... > You configure the Firewall on the Router to just block every single port. ... > network but does not prevent your PCs from contacting the Internet. ...
      (microsoft.public.inetserver.iis)
    • Re: Remote Access
      ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ...
      (microsoft.public.windows.server.sbs)
    • Re: Unreachable network from wan
      ... I need a simple http network. ... also KF web server one by one. ... After i installed it, the set the port ... computers ip address, publicport:80, private port 80. ...
      (microsoft.public.windowsxp.network_web)
    • Re: disconnect a hacker
      ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
      (alt.computer.security)
    • Re: disconnect a hacker
      ... My Web server station is right next ... ]see an IP connected to port 80, ... ]I notice a significant number of probes on my firewall console window ... that the attacks on you are simply attacks on you amongst millions of ...
      (alt.computer.security)