Re: NewB needs help understanding 'netstat' output

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/17/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 17 May 2002 10:22:50 +0000 (UTC)


< ken king
>ken king wrote:

8< (Summary: `netstat -tuln`, not related ports 25 137 138 139 515 6000)

>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
>> udp 0 0 0.0.0.0:32768 0.0.0.0:*
>> udp 0 0 0.0.0.0:111 0.0.0.0:*
>> ---The following (port 635) USED to be "0.0.0.0:628" why would it
>> change???
>> udp 0 0 0.0.0.0:635 0.0.0.0:*
>
>This morning the last line is port 636! I know I'm not dreaming because I
>created a cron job to do netstat -tulnp each night and email me the diff
>from the day before.

You should protect above ports from outside, local only. If you are
not familiar with RPC, to uninstall is good for security.

rpc.mountd 100005 ---[portmap]--- 635
rpc.mountd 100005 ---[portmap]--- 638
rpc.mountd 100005 ---[portmap]--- 636

/sbin/portmap
/usr/sbin/rpcinfo
/usr/sbin/showmount

http://www.robertgraham.com/pubs/firewall-seen.html
| 635 mountd Linux mountd bug...
| Note that mountd can run at any port (for which you must first do a
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| portmap lookup at port 111), it's just that Linux defaulted to port
| *******~~~~~~~~~~~~~~~~~~~
| 635 in much the same way that NFS universally runs at port 2049...
| Sun starting their RPC ports at 32768...

http://www.robertgraham.com/pubs/network-intrusion-detection.html
|rpcinfo
|~~~~~~~
| finds out what RPC services are running

http://www.robertgraham.com/pubs/hacking-dict.html
| For example, the rpc.mountd RPC program is assigned the
| well-known program number of 100005. When it starts up, it
| ~~~~~~
| might obtain the port number like 635.
| ~~~~~~~~
|showmount [3]
| Key point: This command used the rpc.mountd protocol (RPC
| program number 100005). On most systems, these commands do not
| ^^^^^^
| require authentication, which means that anybody can run them.
| ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7



Relevant Pages

  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... , but some of my clients do not want users to ... definitely closed now cause when I open it up http: ... the article is incorrect in stating that port 80 is needed. ... that port 443 and port 80 must be open to use RPC over HTTP. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)
  • Re: Intersite Replication problem
    ... I followed Antony's DNS advise and I seens to be working. ... To perform the replication I've schedule a task on the W3K server to dial ... As for RPC The default value for the RPC Replication Timeout registry ... Remote Procedure Call dynamic port allocation is used by remote ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... definitely closed now cause when I open it up http: ... the article is incorrect in stating that port 80 is needed. ... that port 443 and port 80 must be open to use RPC over HTTP. ... I have about 20 of these SBS machines at other locations and have ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 and Outlook RPC over HTTP issues
    ... Look in IIS at your Exchweb, Exadmin, exchange-oma, and RPC sites' directory ... manually...I just let the CEICW do it for me. ... Why is it called RPC over HTTP if HTTP is not really needed to be ... As pointed out by others, port 80 does NOT need to be open, and yes, it ...
    (microsoft.public.windows.server.sbs)