Re: Port 32768/tcp

From: gminick (gminick@hacker.pl)
Date: 08/29/01


Date: Wed, 29 Aug 2001 00:43:38 +0200
From: gminick <gminick@hacker.pl>
To: focus-linux@securityfocus.com
Subject: Re: Port 32768/tcp
Message-ID: <20010829004338.B2201@hannibal>

Once upon a time (precisely at: Tue, Aug 28, 2001 at 06:51:31PM +0200),
David López Moreno wrote:
> tcp 0 0
> 0.0.0.0:32768 0.0.0.0:* LISTEN
> 475/rpc.statd

It looks strange.
Take a look at chkrootkit (www.chkrootkit.org).

> Dave

-- 
[ Wojtek gminick Walczak ][ http://hacker.pl/gminick/ ]
[ gminick (at) hacker.pl ][ ]gminick (at) interia.pl[ ]



Relevant Pages

  • Re: Port 32768/tcp
    ... Subject: Port 32768/tcp ... > It looks strange. ... > Take a look at chkrootkit. ... Telnet to it and see what shows up... ...
    (Focus-Linux)
  • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
    ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
    (comp.os.linux.security)
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... I am running OnTrack NetDefense firewall and AtGuard. ... The strange thing is that NetDefense lists the ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
    (comp.security.firewalls)
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... It's not strange and it's not a hacking attempt. ... your firewall is catching and logging ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
    (comp.security.firewalls)
  • Re: chkrootkit infected ports 2881
    ... can re-image it for me which normally costs a fee. ... Chkrootkit is known to fall for quite a few false positive, for example if you run Portsentry or such anti-portscan demon, it also can detect legitimate services like dhcpd or such as sniffers, which isn't really incorrect but not a problem. ... Maybe the only way to know for sure would be scanning all traffic from another system regarding this port to see if anything suspicious can be spotted, and maybe running an integrity check with debsum or such on conf files, comparing the result with a backup from an earlier state or a known sane system. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)