Re: Port 699 listening
On Wed, Dec 14, 2005 at 11:18:29PM -0600, Jeffrey L. Taylor wrote: Quoting Alex Pankratz [EMAIL PROTECTED]: [snip] Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. There are several services that use portmapper. Generally it has to be ripped out manually after a clean install (at least for Debian and SuSE). Read the portmap manpage. It tells you about the -i option and tcp_wrapper support. Jeffrey Aníbal Monsalve Salazar -- .''`. Debian GNU/Linux : :' : Free Operating System `. `' http://debian.org/ `- http://v7w.com/anibal signature.asc Description: Digital signature
Re: Port 699 listening
See interspersed comments below. Quoting Alex Pankratz [EMAIL PROTECTED]: My apologies in advance if this is the wrong place to ask this, this is my first time asking for help.. What is running on port 699? I only have squid, ssh, and dhcpd listening on my 2 internal interfaces, but nothing on my external one (XXX.XXX.XXX.XXX below) I just ran nmap, and it returned: Discovered open port 699/tcp on XXX.XXX.XXX.XXX Discovered open port 111/tcp on XXX.XXX.XXX.XXX And netstat shows: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN Try: lsof -i4 -P | grep 699 I ran chkrootkit and it returned nothing Google tells me: # Thomas Clausen [EMAIL PROTECTED] accessnetwork 699/tcpAccess Network accessnetwork 699/udpAccess Network - What is Access Network? - How can I get RPC to not listen on port 111 at all? apt-get --purge remove portmap or invoke-rc.d portmap stop - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet interfaces listen for those ports? Yes, 0.0.0.0 means all interfaces. This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as much as possible, except for the recent kernel update just released. Your help is appreciated, Alex HTH, Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
See interspersed comments below. My replies interspersed Quoting Alex Pankratz [EMAIL PROTECTED]: My apologies in advance if this is the wrong place to ask this, this is my first time asking for help.. What is running on port 699? I only have squid, ssh, and dhcpd listening on my 2 internal interfaces, but nothing on my external one (XXX.XXX.XXX.XXX below) I just ran nmap, and it returned: Discovered open port 699/tcp on XXX.XXX.XXX.XXX Discovered open port 111/tcp on XXX.XXX.XXX.XXX And netstat shows: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN Try: lsof -i4 -P | grep 699 rpc.statd 1789root6u IPv42165 TCP *:699 (LISTEN) I ran chkrootkit and it returned nothing Google tells me: # Thomas Clausen [EMAIL PROTECTED] accessnetwork 699/tcpAccess Network accessnetwork 699/udpAccess Network - What is Access Network? - How can I get RPC to not listen on port 111 at all? apt-get --purge remove portmap Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. On a possibly related note, snort is showing me a ton of SCAN FIN messages from the same IP, just recently. Also on a possibly related note, could that be the reason why snort is also showing me (portscan) TCP Portsweep originating from my external interface? or invoke-rc.d portmap stop - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet interfaces listen for those ports? Yes, 0.0.0.0 means all interfaces. This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as much as possible, except for the recent kernel update just released. Your help is appreciated, Alex HTH, Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
Quoting Alex Pankratz [EMAIL PROTECTED]: [snip] Did, and that made both 111 and 699 not show up in nmap scan. sweet, thanks Jeffery. I could swear that in the past I saw 111 open and I sort of ignored it, why would 699 be open now, and then closed? why is statd running, i dont use NFS. There are several services that use portmapper. Generally it has to be ripped out manually after a clean install (at least for Debian and SuSE). Jeffrey -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 699 listening
In article [EMAIL PROTECTED] you wrote: netstat -na | grep 699 tcp0 0 0.0.0.0:699 0.0.0.0:* LISTEN if you run it as root and use netstat -lnpo it will give you the pid and process name of the open listening socket. In some rare cases netstat wont help, then you could use lsof -i :699 also (as root). Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]