Re: NewB needs help understanding 'netstat' output

From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)
Date: 05/17/02


From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid>
Date: Fri, 17 May 2002 10:22:50 +0000 (UTC)


< ken king
>ken king wrote:

8< (Summary: `netstat -tuln`, not related ports 25 137 138 139 515 6000)

>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
>> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
>> udp 0 0 0.0.0.0:32768 0.0.0.0:*
>> udp 0 0 0.0.0.0:111 0.0.0.0:*
>> ---The following (port 635) USED to be "0.0.0.0:628" why would it
>> change???
>> udp 0 0 0.0.0.0:635 0.0.0.0:*
>
>This morning the last line is port 636! I know I'm not dreaming because I
>created a cron job to do netstat -tulnp each night and email me the diff
>from the day before.

You should protect above ports from outside, local only. If you are
not familiar with RPC, to uninstall is good for security.

rpc.mountd 100005 ---[portmap]--- 635
rpc.mountd 100005 ---[portmap]--- 638
rpc.mountd 100005 ---[portmap]--- 636

/sbin/portmap
/usr/sbin/rpcinfo
/usr/sbin/showmount

http://www.robertgraham.com/pubs/firewall-seen.html
| 635 mountd Linux mountd bug...
| Note that mountd can run at any port (for which you must first do a
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
| portmap lookup at port 111), it's just that Linux defaulted to port
| *******~~~~~~~~~~~~~~~~~~~
| 635 in much the same way that NFS universally runs at port 2049...
| Sun starting their RPC ports at 32768...

http://www.robertgraham.com/pubs/network-intrusion-detection.html
|rpcinfo
|~~~~~~~
| finds out what RPC services are running

http://www.robertgraham.com/pubs/hacking-dict.html
| For example, the rpc.mountd RPC program is assigned the
| well-known program number of 100005. When it starts up, it
| ~~~~~~
| might obtain the port number like 635.
| ~~~~~~~~
|showmount [3]
| Key point: This command used the rpc.mountd protocol (RPC
| program number 100005). On most systems, these commands do not
| ^^^^^^
| require authentication, which means that anybody can run them.
| ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^

-- 
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7