Re: Open Ports
From: Brad Olin (bwo_at_bwo1.com)
Date: 07/14/04
- Next message: Gianni Tedesco: "[ANN]: Firestorm 0.5.5 a.k.a. "It's just a ride""
- Previous message: ynotssor: "Re: thanks"
- In reply to: Chris: "Re: Open Ports"
- Next in thread: Gary Petersen: "Re: Open Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 14 Jul 2004 07:37:30 GMT
On Tue, 13 Jul 2004 22:42:57 GMT, Chris
<I_don't_want_spam@earthlink.net> wrote:
>Gary Petersen wrote:
>
>> Let's try to keep it in the newsgroups mostly.
>>
>> You seem to have a lot of services running!
>>
>> Try this (as root):
>>
>> netstat -pnlut
>
>And the results are:
>
>[root@chris chris]# netstat -pnlut
>Active Internet connections (only servers)
>Proto Recv-Q Send-Q Local Address Foreign Address State
>PID/Program name
>tcp 0 0 0.0.0.0:645 0.0.0.0:* LISTEN
>1312/ypserv
>tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN
>11319/perl5.8.0
>tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
>1242/portmap
>tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
>2330/perl
>tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
>1812/X
>tcp 0 0 192.168.1.2:53 0.0.0.0:* LISTEN
>1638/named
>tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
>1638/named
>tcp 0 0 0.0.0.0:886 0.0.0.0:* LISTEN
>1555/rpc.ypxfrd
>tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
>1789/cupsd
>tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
>2164/master
>tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
>1638/named
>udp 0 0 0.0.0.0:32768 0.0.0.0:*
>1638/named
>udp 0 0 0.0.0.0:642 0.0.0.0:*
>1312/ypserv
>udp 0 0 0.0.0.0:10000 0.0.0.0:*
>2330/perl
>udp 0 0 0.0.0.0:801 0.0.0.0:*
>1896/rpc.yppasswdd
>udp 0 0 192.168.1.2:53 0.0.0.0:*
>1638/named
>udp 0 0 127.0.0.1:53 0.0.0.0:*
>1638/named
>udp 0 0 0.0.0.0:111 0.0.0.0:*
>1242/portmap
>udp 0 0 0.0.0.0:884 0.0.0.0:*
>1555/rpc.ypxfrd
>udp 0 0 0.0.0.0:631 0.0.0.0:*
>1789/cupsd
>udp 0 0 192.168.1.2:123 0.0.0.0:*
>32451/ntpd
>udp 0 0 127.0.0.1:123 0.0.0.0:*
>32451/ntpd
>udp 0 0 0.0.0.0:123 0.0.0.0:*
>32451/ntpd
>
>> Also do this:
>>
>> ps auxwwwwwww
>
>And the result of that is:
>
>[root@chris chris]# ps auxwwwwwww
>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
>root 1 0.0 0.0 1288 84 ? S Jun28 0:04 init
>root 2 0.0 0.0 0 0 ? SW Jun28 0:01 [keventd]
>root 3 0.0 0.0 0 0 ? SW Jun28 0:00 [kapmd]
>root 4 0.0 0.0 0 0 ? SWN Jun28 0:00
>[ksoftirqd_CPU0]
>root 5 0.0 0.0 0 0 ? SW Jun28 1:11 [kswapd]
>root 6 0.0 0.0 0 0 ? SW Jun28 0:00 [bdflush]
>root 7 0.0 0.0 0 0 ? SW Jun28 0:01 [kupdated]
>root 8 0.0 0.0 0 0 ? SW< Jun28 0:00 [mdrecoveryd]
>root 12 0.0 0.0 0 0 ? SW Jun28 0:16 [kjournald]
>root 96 0.0 0.0 1708 204 ? S Jun28 0:00 devfsd /dev
>root 183 0.0 0.0 0 0 ? SW Jun28 0:00 [khubd]
>root 338 0.0 0.0 0 0 ? SW Jun28 0:05 [kjournald]
>root 339 0.0 0.0 0 0 ? SW Jun28 0:02 [kjournald]
>root 652 0.0 0.0 0 0 ? SW Jun28 0:00 [eth0]
>rpc 1242 0.0 0.0 1420 4 ? S Jun28 0:00 portmap
>root 1256 0.0 0.1 1360 360 ? S Jun28 0:09 syslogd -m 0
>root 1264 0.0 0.0 2020 156 ? S Jun28 0:00 klogd -2
>root 1312 0.0 0.0 1420 4 ? S Jun28 0:00 ypserv
>xfs 1486 0.0 1.1 10676 2836 ? S Jun28 1:41 xfs -port -1
>-dae
>mon -droppriv -user xfs
>root 1538 0.0 0.0 1268 4 ? S Jun28 0:00
>/usr/sbin/apmd -p
> 10 -w 5 -W -P /etc/sysconfig/apm-scripts/apmd_proxy
>root 1555 0.0 0.0 1468 4 ? S Jun28 0:00 rpc.ypxfrd
>root 1571 0.0 0.0 2628 4 ? S Jun28 0:00 /bin/sh
>/etc/X11/
>prefdm
>daemon 1599 0.0 0.0 1312 108 ? S Jun28 0:00 /usr/sbin/atd
>root 1603 0.0 0.0 2204 4 ? S Jun28 0:00
>/usr/sbin/autolog
>in
>root 1621 0.0 0.0 1500 4 ? S Jun28 0:00 saslauthd -a
>pam
>-T
>named 1638 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
>named
>named 1642 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
>named
>named 1670 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
>named
>named 1671 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
>named
>named 1697 0.0 0.1 11012 472 ? S Jun28 0:00 named -u
>named
>root 1789 0.0 1.2 7828 3188 ? S Jun28 0:06 cupsd
>chris 1800 0.0 0.0 2384 4 ? S Jun28 0:00 /bin/sh
>/usr/X11R
>6/bin/startx
>chris 1811 0.0 0.0 2164 4 ? S Jun28 0:00 xinit
>/etc/X11/xi
>nit/xinitrc -- -deferglyphs 16
>root 1812 6.9 17.3 329304 44652 ? S Jun28 1501:37 /etc/X11/X
>:0 -d
>eferglyphs 16
>root 1896 0.0 0.0 1568 4 ? S Jun28 0:00 rpc.yppasswdd
>chris 2000 0.0 0.0 2388 4 ? S Jun28 0:00 /bin/sh
>/usr/bin/
>startkde
>root 2164 0.0 0.0 3784 188 ? S Jun28 0:04
>/usr/lib/postfix/
>master
>postfix 2178 0.0 0.1 3976 460 ? S Jun28 0:20 nqmgr -l -n
>qmgr
>-t fifo -u -c
>root 2312 0.0 0.0 1492 124 ? S Jun28 0:00 crond
>root 2330 0.0 0.2 8336 712 ? S Jun28 0:01 /usr/bin/perl
>/us
>r/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
>root 2477 0.0 0.0 1248 4 vc/1 S Jun28 0:00
>/sbin/mingetty tt
>y1
>root 2478 0.0 0.0 1248 4 vc/2 S Jun28 0:00
>/sbin/mingetty tt
>y2
>root 2479 0.0 0.0 1248 4 vc/3 S Jun28 0:00
>/sbin/mingetty tt
>y3
>root 2480 0.0 0.0 1248 4 vc/4 S Jun28 0:00
>/sbin/mingetty tt
>y4
>root 2483 0.0 0.0 1248 4 vc/5 S Jun28 0:00
>/sbin/mingetty tt
>y5
>root 2484 0.0 0.0 1248 4 vc/6 S Jun28 0:00
>/sbin/mingetty tt
>y6
>chris 2603 0.0 0.3 23480 996 ? S Jun28 0:03 kdeinit:
>Running.
>..
>chris 2606 0.0 0.3 23460 812 ? S Jun28 0:07 kdeinit:
>dcopserv
>er --nosid
>chris 2609 0.0 0.7 24784 1864 ? S Jun28 0:01 kdeinit:
>klaunche
>r
>chris 2611 0.0 0.4 26748 1240 ? S Jun28 13:19 kdeinit: kded
>
>chris 2620 0.0 0.1 7872 440 ? S Jun28 0:09
>/usr/bin/artsd -F
> 10 -S 4096 -a alsa -s 60 -m artsmessage -l 3 -f
>chris 2630 0.0 0.4 29284 1056 ? S Jun28 0:07 kdeinit:
>knotify
>
>chris 2631 0.0 0.0 1324 36 ? S Jun28 0:00 kwrapper
>ksmserve
>r --restore
>chris 2633 0.0 0.4 25212 1172 ? S Jun28 0:06 kdeinit:
>ksmserve
>r --restore
>chris 2634 0.0 1.7 29360 4408 ? S Jun28 4:27 kdeinit: kwin
>-se
>ssion 11c0a80102000107236349800000024710000
>chris 2637 0.0 1.7 32556 4384 ? S Jun28 2:38 kdeinit:
>kdesktop
>
>chris 2653 0.0 0.2 26088 648 ? S Jun28 0:04 kdeinit:
>kwrited
>
>chris 2654 0.0 0.2 24456 692 ? S Jun28 0:08 kwikdisk
>-session
> 11c0a80102000107236357800000024710010
>chris 2659 0.0 1.1 23328 2972 ? S Jun28 10:51 kpager
>-session 1
>1c0a80102000107236351400000024710005
>chris 2660 0.0 0.2 25492 660 ? S Jun28 0:07 korgac
>--miniicon
> korganizer
>chris 2662 0.0 0.2 25392 652 ? S Jun28 0:07 kalarmd
>--login
>chris 2689 0.0 0.1 18008 320 ? S Jun28 0:00
>/usr/bin/kdesud
>root 3218 0.0 0.0 1336 60 ? S Jun28 0:01 gpm -t ps/2
>-m /d
>ev/psaux
>chris 3337 0.3 1.4 18292 3812 ? S Jun28 74:58 gkrellm -c
>stack1
>chris 3338 2.7 1.4 18816 3704 ? S Jun28 581:20 gkrellm -c
>stack2
>chris 3339 1.0 1.1 17092 3028 ? S Jun28 229:41 gkrellm -c
>stack3
>chris 3347 0.1 0.0 1644 176 ? S Jun28 40:07 /usr/bin/esd
>-ter
>minate -nobeeps -as 2 -spawnfd 9
>chris 3348 0.0 1.4 18816 3704 ? S Jun28 0:11 gkrellm -c
>stack2
>chris 3349 0.0 1.1 17092 3028 ? S Jun28 0:12 gkrellm -c
>stack3
>chris 3350 0.0 1.4 18292 3812 ? S Jun28 0:31 gkrellm -c
>stack1
>chris 4012 0.0 3.6 38424 9452 ? S Jun28 8:45 kdeinit:
>kicker
>
>chris 5227 0.0 0.2 26572 684 ? S Jun28 0:13 kdeinit:
>kio_uise
>rver
>chris 13814 0.0 0.2 25492 636 ? S Jun29 0:05 kdeinit:
>kcookiej
>ar
>root 32451 0.0 0.6 1712 1704 ? SL Jul11 0:00 ntpd -A
>root 10304 0.0 0.0 2688 4 ? SN Jul11 0:00
>/usr/bin/prelude_
>report -qd -P /var/run/prelude_report.pid
>root 10315 0.0 0.2 12408 536 ? SN Jul11 0:40
>/usr/bin/prelude
>-qd -P /var/run/prelude.pid -i eth0
>root 10316 0.0 0.2 12408 536 ? SN Jul11 0:00
>/usr/bin/prelude
>-qd -P /var/run/prelude.pid -i eth0
>root 10317 0.0 0.1 2692 308 ? SN Jul11 0:00
>/usr/bin/prelude_
>report -qd -P /var/run/prelude_report.pid
>root 10318 0.0 0.2 12408 536 ? SN Jul11 0:00
>/usr/bin/prelude
>-qd -P /var/run/prelude.pid -i eth0
>chris 5120 0.0 0.2 4228 756 ? S Jul11 0:06 xscreensaver
>-nos
>plash
>chris 27820 0.0 0.5 6100 1416 ? S Jul11 0:01
>/usr/bin/Eterm
>chris 27823 0.0 0.0 2792 4 pts/3 S Jul11 0:00 -bash
>root 27865 0.0 0.0 2264 4 pts/3 S Jul11 0:00 su
>root 27868 0.0 0.3 2760 816 pts/3 S Jul11 0:00 bash
>chris 16818 0.8 6.6 36664 17136 ? S Jul12 10:06 kmail
>-caption KM
>ail -icon kmail.png -miniicon kmail.png
>chris 17023 0.0 0.6 23812 1624 ? S Jul12 0:02 kdeinit:
>kio_pop3
> pop3 /tmp/ksocket-chris/klauncherkTsghc.slave-socket
>/tmp/ksocket-chris/kmailhL
>tjQa.slave-socket
>root 11319 0.4 15.4 41972 39808 ? S 17:19 0:04
>/usr/bin/perl5.8.
>0 -T -w /usr/bin/spamd -d -c -a -H -m 1
>postfix 11401 0.0 0.4 3888 1284 ? S 17:20 0:00 pickup -l -t
>fifo
> -u -c
>chris 11927 1.1 7.7 47296 19936 ? S 17:30 0:02 knode
>-caption KN
>ode -icon knode.png -miniicon knode.png
>chris 11929 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
>-caption KN
>ode -icon knode.png -miniicon knode.png
>chris 11930 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
>-caption KN
>ode -icon knode.png -miniicon knode.png
>chris 11931 0.0 7.7 47296 19936 ? S 17:30 0:00 knode
>-caption KN
>ode -icon knode.png -miniicon knode.png
>root 12091 0.0 0.3 2604 792 pts/3 R 17:34 0:00 ps auxwwwwwww
>[root@chris chris]#
>
>> I crossposted this to comp.os.linux.security because they are likely to
>> know what is normal for a Fedora/Redhat system.
>>
>> Your system is probably not compromised, but I would freak out if I had
>> so many listening ports.
>>
>> (Follups are set to comp.os.linux.security.)
>
>Also, below are the results of me trying to enter my system from a friends
>house:
>
>[allen@localhost allen]$ telnet
>telnet> open
>(to) XX.XX.XXX.XX
>Trying XX.XX.XXX.XX...
>Connected to tx-XX-XX-XXX-XX.dyn.sprint-hsd.net (XX.XX.XXX.XX).
>Escape character is '^]'.
>Connection closed by foreign host.
>[allen@localhost allen]$ ftp XX.XX.XXX.XX
>Connected to XX.XX.XXX.XX.
>421 Service not available, remote server has closed connection
>ftp>
>[2]+ Stopped ftp XX.XX.XXX.XX
>[allen@localhost allen]$
>
>Failure To Connect To Web Server
>Failure To Connect To Web Server
Sorry for the long inclusion guys, but it's actually relevant.
The answer is in what you don't see... You tried to connect via three
different services: telnet, ftp, and http. If you look back at the
netstat output you don't see any daemons listening on the applicable
ports for those three services, this is also confirmed by the ps output.
By looking at the client telnet/ftp/http error output, it looks like you
got through any netfilter (iptables) rules, but there just isn't a
daemon running.
The other daemon that I don't see, and should probably be running, is
sshd.
I'm not sure this is really a security issue, seems more of a
configuration thing.
Brad
--
"Sometimes I worry about being a success in a mediocre world."
Lily Tomlin
Bradley W. Olin
http://www.bwo1.com
- Next message: Gianni Tedesco: "[ANN]: Firestorm 0.5.5 a.k.a. "It's just a ride""
- Previous message: ynotssor: "Re: thanks"
- In reply to: Chris: "Re: Open Ports"
- Next in thread: Gary Petersen: "Re: Open Ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
