Re: Bind Listening on port 32768

From: Hal Flynn (flynn@securityfocus.com)
Date: 09/12/01


Date: Wed, 12 Sep 2001 10:05:23 -0600 (MDT)
From: Hal Flynn <flynn@securityfocus.com>
To: <focus-linux@securityfocus.com>
Subject: Re: Bind Listening on port 32768
Message-ID: <Pine.GSO.4.30.0109120955030.6117-100000@mail>

Hi Folks,

I'm going to kill this thread, as it's basically turning into "1,001 Ways
to Identify Listening Ports."

In summary, the two suggestions I've seen identifying the actual
port/process are:

1) a program from the KDE suite.
2) rpc.statd

I'll additionally add my $0.02:
Typically, services that run on ephemeral ports (ports above 32000) are
rpc-based services. One easy means of identifying these services is to
run the portmapper, and execute a "rpcinfo -p localhost" to display a
listing of all identified rpc services. One caveat is that once a system
has been brought up, if the portmapper was not started prior to the start
of the rpc services, the services will not register with the portmapper
process, thus leaving you with a blank output from an rpcinfo command.

This of course does not take into consideration the security ramifications
of running rpc-based services, or the portmapper for that matter. This
is, however, purely for instruction purposes, and can be used as one or in
conjunction with 50,000 other ways to identify services running in the
ephemeral.

Hal Flynn
Sun/Linux Focus Area Manager
SecurityFocus

"Arbeit macht das Leben süss."



Relevant Pages