Re: Port 699 listening
On Wed, Dec 14, 2005 at 11:18:29PM -0600, Jeffrey L. Taylor wrote: >Quoting Alex Pankratz <[EMAIL PROTECTED]>: >[snip] >>Did, and that made both 111 and 699 not show up in nmap scan. sweet, >>thanks Jeffery. I could swear that in the past I saw 111 open and I >>sort of ignored it, why would 699 be open now, and then closed? why is >>statd running, i dont use NFS. >> >There are several services that use portmapper. Generally it has to >be ripped out manually after a clean install (at least for Debian and >SuSE). Read the portmap manpage. It tells you about the -i option and tcp_wrapper support. >Jeffrey Aníbal Monsalve Salazar -- .''`. Debian GNU/Linux : :' : Free Operating System `. `' http://debian.org/ `- http://v7w.com/anibal signature.asc Description: Digital signature
Re: Port 699 listening
In article <[EMAIL PROTECTED]> you wrote: > netstat -na | grep 699 > tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN if you run it as root and use "netstat -lnpo" it will give you the pid and process name of the open listening socket. In some rare cases netstat wont help, then you could use "lsof -i :699" also (as root). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
Quoting Alex Pankratz <[EMAIL PROTECTED]>: [snip] > Did, and that made both 111 and 699 not show up in nmap scan. sweet, > thanks Jeffery. I could swear that in the past I saw 111 open and I > sort of ignored it, why would 699 be open now, and then closed? why is > statd running, i dont use NFS. > There are several services that use portmapper. Generally it has to be ripped out manually after a clean install (at least for Debian and SuSE). Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
> See interspersed comments below. My replies interspersed > > Quoting Alex Pankratz <[EMAIL PROTECTED]>: > > My apologies in advance if this is the wrong place to ask this, this > > is my first time asking for help.. > > > > What is running on port 699? I only have squid, ssh, and dhcpd > > listening on my 2 internal interfaces, but nothing on my external one > > (XXX.XXX.XXX.XXX below) > > > > I just ran nmap, and it returned: > > Discovered open port 699/tcp on XXX.XXX.XXX.XXX > > Discovered open port 111/tcp on XXX.XXX.XXX.XXX > > > > And netstat shows: > > netstat -na | grep 699 > > tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN > > > > Try: lsof -i4 -P | grep 699 rpc.statd 1789root6u IPv42165 TCP *:699 (LISTEN) > > I ran chkrootkit and it returned nothing > > > > Google tells me: > > # Thomas Clausen <[EMAIL PROTECTED]> > > accessnetwork 699/tcpAccess Network > > accessnetwork 699/udpAccess Network > > > > - What is "Access Network"? > > - How can I get RPC to not listen on port 111 at all? > > apt-get --purge remove portmap Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. On a possibly related note, snort is showing me a ton of "SCAN FIN" messages from the same IP, just recently. Also on a possibly related note, could that be the reason why snort is also showing me "(portscan) TCP Portsweep" originating from my external interface? > > or > > invoke-rc.d portmap stop > > > - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet > > interfaces listen for those ports? > > Yes, 0.0.0.0 means all interfaces. > > > > This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as > > much as possible, except for the recent kernel update just released. > > > > Your help is appreciated, > > > > Alex > > > > HTH, > Jeffrey > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Port 699 listening
See interspersed comments below. Quoting Alex Pankratz <[EMAIL PROTECTED]>: > My apologies in advance if this is the wrong place to ask this, this > is my first time asking for help.. > > What is running on port 699? I only have squid, ssh, and dhcpd > listening on my 2 internal interfaces, but nothing on my external one > (XXX.XXX.XXX.XXX below) > > I just ran nmap, and it returned: > Discovered open port 699/tcp on XXX.XXX.XXX.XXX > Discovered open port 111/tcp on XXX.XXX.XXX.XXX > > And netstat shows: > netstat -na | grep 699 > tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN > Try: lsof -i4 -P | grep 699 > I ran chkrootkit and it returned nothing > > Google tells me: > # Thomas Clausen <[EMAIL PROTECTED]> > accessnetwork 699/tcpAccess Network > accessnetwork 699/udpAccess Network > > - What is "Access Network"? > - How can I get RPC to not listen on port 111 at all? apt-get --purge remove portmap or invoke-rc.d portmap stop > - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet > interfaces listen for those ports? Yes, 0.0.0.0 means all interfaces. > > This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as > much as possible, except for the recent kernel update just released. > > Your help is appreciated, > > Alex > HTH, Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]