Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???

From: InHisGrip (servie_platon_at_yahoo.com)
Date: 07/22/04

  • Next message: Mark.Boltz_at_stonesoft.com: "Re: [fw-wiz] FEP - Firewall enhancement protocol"
    To: Bruce Smith <bruce_the_loon@worldonline.co.za>
    Date: Thu, 22 Jul 2004 10:58:16 -0700 (PDT)
    
    

    Hi Bruce,

    Thank you so much on your suggestions.

    Incidentally, I am also contemplating on compiling and
    building my own kernel this way, I could select which
    options and services that I would need? What do you
    think?

    All of you guys are just awesome! You have given me
    lots of ideas and I have learned a lot. Thanks again
    everyone in this group!

    InHisGrip,
    Servie

    --- Bruce Smith <bruce_the_loon@worldonline.co.za>
    wrote:
    > Hi Servie
    >
    > There's a tool called lsof on most linux systems, if
    > it's not installed by
    > default it'll be on the CD's,
    > that can show which processes have the port open. I
    > think the exact syntax
    > is lsof -i
    >
    > That should be able to tell you what has opened the
    > port and from there you
    > should be able to
    > see if it's a trojan or not. Feel free to send me
    > the output of this if you
    > need a hand.
    >
    > Regards
    >
    > Bruce Smith
    >
    >
    > ----- Original Message -----
    > From: "InHisGrip" <servie_platon@yahoo.com>
    > To: "firewall-wizards"
    > <firewall-wizards@honor.icsalabs.com>
    > Sent: Thursday, July 22, 2004 1:52 AM
    > Subject: [fw-wiz] Port 37628....Is it just another
    > port or out of the extra
    > ordinary???
    >
    >
    > >
    > > Hi everyone,
    > >
    > > I have setup an apache web server in my small home
    > > network and have configured this web server by
    > > enabling port forwarding for web requests and
    > > redirection using a non standard port other than
    > port
    > > 80. I have also used my dns registrar/provider in
    > > particular dyndns.org to do the job of custom dns
    > and
    > > redirecting web traffic on my host
    > > machine.
    > >
    > > My question is related to security/firewall and in
    > > particular with linux ports being compromised.
    > Based
    > > from the information below, can anyone please let
    > me
    > > know if the information I have attached based on
    > open
    > > ports or listening ports on the output will
    > somehow
    > > compromise my small home network or the linux web
    > > server box I have just set up?
    > >
    > > Oh, by the way, just wanted to make sure because I
    > > have placed the web server in a DMZ port and zone
    > > from my linksys router and I think but not sure
    > that
    > > I am being shielded and protected atleast?
    > Likewise, I
    > > have enabled advanced firewall protection on my
    > > linksys router. Am I just paranoid, or is there
    > > something to get alarmed especially on port 37628
    > > which has a LISTEN state on all interfaces or on
    > the
    > > Internet?
    > >
    > > Here is a copy of my netstat -an output:
    > >
    > > Active Internet connections (servers and
    > established)
    > > Proto Recv-Q Send-Q Local Address
    > Foreign
    > > Address State
    > > tcp 0 0 0.0.0.0:32768
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:32769
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:783
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:111
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:22
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 127.0.0.1:25
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:8090
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 0.0.0.0:443
    > 0.0.0.0:*
    > > LISTEN
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4061 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4060 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4063 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4059 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4073 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4072 TIME_WAIT
    > > tcp 0 0 192.168.1.77:8090
    > > 203.218.54.165:4074 TIME_WAIT
    > > udp 0 0 0.0.0.0:32768
    > 0.0.0.0:*
    > >
    > > udp 0 0 0.0.0.0:750
    > 0.0.0.0:*
    > >
    > > udp 0 0 0.0.0.0:111
    > 0.0.0.0:*
    > >
    > > Active UNIX domain sockets (servers and
    > established)
    > > Proto RefCnt Flags Type State
    > > I-Node Path
    > > unix 10 [ ] DGRAM
    > 900
    > > /dev/log
    > > unix 2 [ ] DGRAM
    > 1464
    > >
    > > unix 2 [ ] DGRAM
    > 1402
    > >
    > > unix 2 [ ] DGRAM
    > 1384
    > >
    > > unix 2 [ ] DGRAM
    > 1370
    > >
    > > unix 2 [ ] DGRAM
    > 1324
    > >
    > > unix 2 [ ] DGRAM
    > 1050
    > >
    > > unix 2 [ ] DGRAM
    > 966
    > >
    > > unix 2 [ ] DGRAM
    > 908
    > >
    > >
    > > I am asking this question because the URL below
    > > mentioned about a trojan on his system and this
    > could
    > > also be happening to mine. Is this a security
    > threat
    > > both on UDP and TCP ports 32768 among others?
    > >
    > >
    >
    http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641
    > >
    > > Any tips or thoughts on how to eliminate this
    > threat
    > > would be highly appreciated. Thanks in advance.
    > >
    > > Regards,
    > > Servie
    > >
    > >
    > >
    > >
    > >
    > > __________________________________
    > > Do you Yahoo!?
    > > Yahoo! Mail - 50x more storage than other
    > providers!
    > > http://promotions.yahoo.com/new_mail
    > > _______________________________________________
    > > firewall-wizards mailing list
    > > firewall-wizards@honor.icsalabs.com
    > >
    >
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >

            
                    
    __________________________________
    Do you Yahoo!?
    Vote for the stars of Yahoo!'s next ad campaign!
    http://advision.webevents.yahoo.com/yahoo/votelifeengine/
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark.Boltz_at_stonesoft.com: "Re: [fw-wiz] FEP - Firewall enhancement protocol"

    Relevant Pages

    • Re: Remote Access
      ... Please rerun CEICW, this helps up configure network and websites ... On the Web Server Certificate page shows. ... http://ipaddress/remote to access RWW, type the public IP address in the ... that if SBS is behind a router, I need to configure the port forwarding ...
      (microsoft.public.windows.server.sbs)
    • Re: Apache web server being attacked
      ... There is no domain name pointing to my web server. ... But have had port 80 attacks that did not work. ... after yourself once you've generated a config file. ... This way my web site has total access by anyone who knows it's URl, the URL is scanned by yahoo and google indexing bot and becomes know to the public. ...
      (freebsd-questions)
    • RE: seeking a better understanding
      ... listener (running on port 80), and tunnel any traffic they want through ... Maybe a firewall, an IDS if you're a bit parano, and: ... contain any break-in to the web server. ... I'd install Linux on that ...
      (Security-Basics)
    • Re: [Full-disclosure] server security
      ... I don't see how any can argue against the security value of such a configuration. ... It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. ... This is a basic web server that runs email, web and a couple other things. ... -- Securing Apache Web Server with thawte Digital Certificate In this ...
      (Full-Disclosure)
    • Re: disconnect a hacker
      ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
      (alt.computer.security)