Re: Port 699 listening
On Wed, Dec 14, 2005 at 11:18:29PM -0600, Jeffrey L. Taylor wrote: Quoting Alex Pankratz [EMAIL PROTECTED]: [snip] Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. There are several services that use portmapper. Generally it has to be ripped out manually after a clean install (at least for Debian and SuSE). Read the portmap manpage. It tells you about the -i option and tcp_wrapper support. Jeffrey Aníbal Monsalve Salazar -- .''`. Debian GNU/Linux : :' : Free Operating System `. `' http://debian.org/ `- http://v7w.com/anibal signature.asc Description: Digital signature
Port 699 listening
My apologies in advance if this is the wrong place to ask this, this is my first time asking for help.. What is running on port 699? I only have squid, ssh, and dhcpd listening on my 2 internal interfaces, but nothing on my external one (XXX.XXX.XXX.XXX below) I just ran nmap, and it returned: Discovered open port 699/tcp on XXX.XXX.XXX.XXX Discovered open port 111/tcp on XXX.XXX.XXX.XXX And netstat shows: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN I ran chkrootkit and it returned nothing Google tells me: # Thomas Clausen [EMAIL PROTECTED] accessnetwork 699/tcpAccess Network accessnetwork 699/udpAccess Network - What is Access Network? - How can I get RPC to not listen on port 111 at all? - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet interfaces listen for those ports? This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as much as possible, except for the recent kernel update just released. Your help is appreciated, Alex
Re: Port 699 listening
See interspersed comments below. Quoting Alex Pankratz [EMAIL PROTECTED]: My apologies in advance if this is the wrong place to ask this, this is my first time asking for help.. What is running on port 699? I only have squid, ssh, and dhcpd listening on my 2 internal interfaces, but nothing on my external one (XXX.XXX.XXX.XXX below) I just ran nmap, and it returned: Discovered open port 699/tcp on XXX.XXX.XXX.XXX Discovered open port 111/tcp on XXX.XXX.XXX.XXX And netstat shows: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN Try: lsof -i4 -P | grep 699 I ran chkrootkit and it returned nothing Google tells me: # Thomas Clausen [EMAIL PROTECTED] accessnetwork 699/tcpAccess Network accessnetwork 699/udpAccess Network - What is Access Network? - How can I get RPC to not listen on port 111 at all? apt-get --purge remove portmap or invoke-rc.d portmap stop - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet interfaces listen for those ports? Yes, 0.0.0.0 means all interfaces. This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as much as possible, except for the recent kernel update just released. Your help is appreciated, Alex HTH, Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
See interspersed comments below. My replies interspersed Quoting Alex Pankratz [EMAIL PROTECTED]: My apologies in advance if this is the wrong place to ask this, this is my first time asking for help.. What is running on port 699? I only have squid, ssh, and dhcpd listening on my 2 internal interfaces, but nothing on my external one (XXX.XXX.XXX.XXX below) I just ran nmap, and it returned: Discovered open port 699/tcp on XXX.XXX.XXX.XXX Discovered open port 111/tcp on XXX.XXX.XXX.XXX And netstat shows: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN Try: lsof -i4 -P | grep 699 rpc.statd 1789root6u IPv42165 TCP *:699 (LISTEN) I ran chkrootkit and it returned nothing Google tells me: # Thomas Clausen [EMAIL PROTECTED] accessnetwork 699/tcpAccess Network accessnetwork 699/udpAccess Network - What is Access Network? - How can I get RPC to not listen on port 111 at all? apt-get --purge remove portmap Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. On a possibly related note, snort is showing me a ton of SCAN FIN messages from the same IP, just recently. Also on a possibly related note, could that be the reason why snort is also showing me (portscan) TCP Portsweep originating from my external interface? or invoke-rc.d portmap stop - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet interfaces listen for those ports? Yes, 0.0.0.0 means all interfaces. This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as much as possible, except for the recent kernel update just released. Your help is appreciated, Alex HTH, Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
Quoting Alex Pankratz [EMAIL PROTECTED]: [snip] Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. There are several services that use portmapper. Generally it has to be ripped out manually after a clean install (at least for Debian and SuSE). Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
In article [EMAIL PROTECTED] you wrote: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN if you run it as root and use netstat -lnpo it will give you the pid and process name of the open listening socket. In some rare cases netstat wont help, then you could use lsof -i :699 also (as root). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]