Re: Back Orifice - RedHat 7 [Update]

From: Neophyte (neophyte@news.snel.net)
Date: 06/27/02


From: "Neophyte" <neophyte@news.snel.net>
Date: Thu, 27 Jun 2002 23:13:52 +0200

Hello again Gad,

Yes, I installed PortSentry on SuSE and then ran nmap again...what do you
know...bo2k on port 54320...just as you suggested. I understand a little
more about how PortSentry works thanks to your suggestion and a little
reading on my part.

While this puts me somewhat more at ease, I still want to understand more
before I actually put my Linux box online. I'm sure you can appreciate that.
If you're interested, I'll let you know how I get on.

Thanks again,
Gabriel

"Gad" <chookiesNOSPAM@tpg.com.au> wrote in message
news:3D1B0C6D.5020002@tpg.com.au...
> Hi,
> I was also alarmed of all the daemons on my system until I found out 90%
> was portsentry....
>
> The fact that _nmap_ reports that port 54320 (or any for that matter) is
> open, doesn't mean that it actually knows what process is listening on
> it - nmap just _suggests_ what the port is _typically_ used for (e.g.
> you could run Apache on port 54320 and nmap would report port 54320
> running with bo2k on it).
>
> Two suggestions -
> A. su to root, then do 'nestat -lutp' and check the process listening on
> the port (some data won't show in normal user mode, so you have to su).
> B. It might very well be portsentry, which is installed by default on RH
> 7.x. So do 'ps -aux | grep portsentry' and check if it's running.
>
> Good luck,
> Gad
>



Relevant Pages

  • Re: Comprehensive firewall test using Nmap?
    ... I guess Alexander means an automatic port alteration during your ... nmap -g $srcport -oA blabla-$srcport etc ... do you have any other suggestion on what application to use to ...
    (Pen-Test)
  • Re: Back Orifice - RedHat 7 [Update]
    ... I installed PortSentry on SuSE and then ran nmap again...what do you ... know...bo2k on port 54320...just as you suggested. ... more about how PortSentry works thanks to your suggestion and a little ...
    (comp.os.linux.security)
  • Re: Back Orifice - RedHat 7 [Update]
    ... I personally don't use portsentry, ... up on nmap). ... changed and there's something listening which shouldn't be. ... > know...bo2k on port 54320...just as you suggested. ...
    (comp.os.linux.security)
  • Re: portsentry
    ... One of the main problems with portsentry on Linux (or any other OS ... The program starts fine but when I do a port scan on the ... > # but not drop the route. ...
    (Focus-IDS)
  • Re: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second
    ... When Nmap (or many ... > other applications, such as Telnet) does a connectcall, the OS is ... > supposed to choose a good souce port to bind to for the connection. ... I saw a familiar "Connection reset by peer" every time the random port ...
    (Incidents)