Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???

From: InHisGrip (servie_platon_at_yahoo.com)
Date: 07/22/04

  • Next message: Mark.Boltz_at_stonesoft.com: "Re: [fw-wiz] FEP - Firewall enhancement protocol"
    To: Bruce Smith <bruce_the_loon@worldonline.co.za>
    Date: Thu, 22 Jul 2004 10:58:16 -0700 (PDT)
    
    

    Hi Bruce,

    Thank you so much on your suggestions.

    Incidentally, I am also contemplating on compiling and
    building my own kernel this way, I could select which
    options and services that I would need? What do you
    think?

    All of you guys are just awesome! You have given me
    lots of ideas and I have learned a lot. Thanks again
    everyone in this group!

    InHisGrip,
    Servie

    --- Bruce Smith <bruce_the_loon@worldonline.co.za>
    wrote:
    > Hi Servie
    >
    > There's a tool called lsof on most linux systems, if
    > it's not installed by
    > default it'll be on the CD's,
    > that can show which processes have the port open. I
    > think the exact syntax
    > is lsof -i
    >
    > That should be able to tell you what has opened the
    > port and from there you
    > should be able to
    > see if it's a trojan or not. Feel free to send me
    > the output of this if you
    > need a hand.
    >
    > Regards
    >
    > Bruce Smith
    >
    >
    > ----- Original Message -----
    > From: "InHisGrip" <servie_platon@yahoo.com>
    > To: "firewall-wizards"
    > <firewall-wizards@honor.icsalabs.com>
    > Sent: Thursday, July 22, 2004 1:52 AM
    > Subject: [fw-wiz] Port 37628....Is it just another
    > port or out of the extra
    > ordinary???
    >
    >
    > >
    > > Hi everyone,
    > >
    > > I have setup an apache web server in my small home
    > > network and have configured this web server by
    > > enabling port forwarding for web requests and
    > > redirection using a non standard port other than
    > port
    > > 80. I have also used my dns registrar/provider in
    > > particular dyndns.org to do the job of custom dns
    > and
    > > redirecting web traffic on my host
    > > machine.
    > >
    > > My question is related to security/firewall and in
    > > particular with linux ports being compromised.
    > Based
    > > from the information below, can anyone please let
    > me
    > > know if the information I have attached based on
    > open
    > > ports or listening ports on the output will
    > somehow
    > > compromise my small home network or the linux web
    > > server box I have just set up?
    > >
    > > Oh, by the way, just wanted to make sure because I
    > > have placed the web server in a DMZ port and zone
    > > from my linksys router and I think but not sure
    > that
    > > I am being shielded and protected atleast?
    > Likewise, I
    > > have enabled advanced firewall protection on my
    > > linksys router. Am I just paranoid, or is there
    > > something to get alarmed especially on port 37628
    > > which has a LISTEN state on all interfaces or on
    > the
    > > Internet?
    > >
    > > Here is a copy of my netstat -an output:
    > >
    > > Active Internet connections (servers and
    > established)
    > > Proto Recv-Q Send-Q Local Address
    > Foreign
    > > Address State
    > > tcp 0 0 0.0.0.0:32768
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:32769
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:783
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:111
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:22
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:25
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:8090
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:443
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4061 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4060 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4063 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4059 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4073 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4072 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4074 TIME_WAIT
    > > udp 0 0 0.0.0.0:32768
    > 0.0.0.0:*
    > >
    > > udp 0 0 0.0.0.0:750
    > 0.0.0.0:*
    > >
    > > udp 0 0 0.0.0.0:111
    > 0.0.0.0:*
    > >
    > > Active UNIX domain sockets (servers and
    > established)
    > > Proto RefCnt Flags Type State
    > > I-Node Path
    > > unix 10 [ ] DGRAM
    > 900
    > > /dev/log
    > > unix 2 [ ] DGRAM
    > 1464
    > >
    > > unix 2 [ ] DGRAM
    > 1402
    > >
    > > unix 2 [ ] DGRAM
    > 1384
    > >
    > > unix 2 [ ] DGRAM
    > 1370
    > >
    > > unix 2 [ ] DGRAM
    > 1324
    > >
    > > unix 2 [ ] DGRAM
    > 1050
    > >
    > > unix 2 [ ] DGRAM
    > 966
    > >
    > > unix 2 [ ] DGRAM
    > 908
    > >
    > >
    > > I am asking this question because the URL below
    > > mentioned about a trojan on his system and this
    > could
    > > also be happening to mine. Is this a security
    > threat
    > > both on UDP and TCP ports 32768 among others?
    > >
    > >
    >
    http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641
    > >
    > > Any tips or thoughts on how to eliminate this
    > threat
    > > would be highly appreciated. Thanks in advance.
    > >
    > > Regards,
    > > Servie
    > >
    > >
    > >
    > >
    > >
    > > __________________________________
    > > Do you Yahoo!?
    > > Yahoo! Mail - 50x more storage than other
    > providers!
    > > http://promotions.yahoo.com/new_mail
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > >
    >
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >

            
                    
    __________________________________
    Do you Yahoo!?
    Vote for the stars of Yahoo!'s next ad campaign!
    http://advision.webevents.yahoo.com/yahoo/votelifeengine/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark.Boltz_at_stonesoft.com: "Re: [fw-wiz] FEP - Firewall enhancement protocol"