Re: who owns the ports?
On Fri, 9 Feb 2001, Rolf Kutz wrote: Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. Yes. Simple rules of the thumb: 1) use a clean rescue CD to boot from it (to be safe from rootkits). always do a cold boot (from power off state), just in case 2) use the tripwire binary from the CD to build a database of signatures of the important files on your computer and store it on a floppy (it will usually fit, if you compress it) 3) from time to time, or if you suspect a compromise, boot again from the CD and check the integrity of the files against the signatures on your floppy. 4) NEVER EVER rewrite your database (or insert the floppy disk containing it write enabled) on an untrusted host Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Giacomo Mulas ([EMAIL PROTECTED]) wrote on 9 February 2001 12:23: On Fri, 9 Feb 2001, Rolf Kutz wrote: Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. Another alternative is to use sxid. It can be configured to check not only s[ug]id programs but any files and directories. And I think checking conf files is as important as checking binaries. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
#! /bin/sh
# adaptible for upd also
export TCPPRTS=`netstat -na -t | grep ^tcp | sed s/^[^:]*:\(.\).*/\1/g
| sort -nu`
echo Active tcp ports: $TCPPRTS
for PRT in ${TCPPRTS} ; do
echo port number $PRT : `grep [^0123456789]${PRT}\/tcp /etc/services`
export TPID=`fuser ${PRT}/tcp | cut -d ':' -f 2`
ps wax | awk '{print $1 $5 }' | grep ${TPID}
done
Re: who owns the ports?
I'm seeing this strange thing: # netstat -epav (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Not that I'm running as root! What does it mean?
Re: who owns the ports?
On Fri, 9 Feb 2001, Rolf Kutz wrote: Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. Yes. Simple rules of the thumb: 1) use a clean rescue CD to boot from it (to be safe from rootkits). always do a cold boot (from power off state), just in case 2) use the tripwire binary from the CD to build a database of signatures of the important files on your computer and store it on a floppy (it will usually fit, if you compress it) 3) from time to time, or if you suspect a compromise, boot again from the CD and check the integrity of the files against the signatures on your floppy. 4) NEVER EVER rewrite your database (or insert the floppy disk containing it write enabled) on an untrusted host Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
Philipe Gaspar ([EMAIL PROTECTED]) wrote: There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Try the package debsum, it is a tool to handle md5sums for installed packages It doesn't check for added files, altered config-files, things you compiled yourself, etc. cu, Rolf
Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: My immediate guess, upon seeing anything running on 31337, is that you've been "0wn3d", as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try "fuser 31337/tcp", maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
All this discussion about the possibility of "script kiddies" installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
#! /bin/sh
# adaptible for upd also
export TCPPRTS=`netstat -na -t | grep "^tcp" | sed "s/^[^:]*:\(.\).*/\1/g"
| sort -nu`
echo "Active tcp ports:" $TCPPRTS
for PRT in ${TCPPRTS} ; do
echo port number $PRT : `grep "[^0123456789]${PRT}\/tcp" /etc/services`
export TPID=`fuser ${PRT}/tcp | cut -d ':' -f 2`
ps wax | awk '{print $1" "$5 }' | grep ${TPID}
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: (omissis) It is very likely that your host has been compromised and a rootkit installed. Do not trust any of the utilities on that host. Instead, boot off a (trusted) rescue cd with a clean system on it, and check with it. Be careful how you take down that computer: I have seen crackers install background processes that monitor e.g. the connectivity of the computer and do an rm -rf / command if they suspect they have been caught. As crazy as it sounds, if your computer has indeed been compromised the safest thing may indeed be to simply cut the power off. Whatever you do, be careful. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Aaron Dewell wrote: Well, finger is probably running through inetd... Either that or you are running that scanner detecter package that binds to every port known in the universe. He said he checked inetd.conf, and whatever is bound to any port lsof should report it. It smells fishy... Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: My immediate guess, upon seeing anything running on 31337, is that you've been 0wn3d, as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try fuser 31337/tcp, maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress?
Re: who owns the ports?
All this discussion about the possibility of script kiddies installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded?
Re: who owns the ports?
Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf
Re: who owns the ports?
On Thursday 08 February 2001 21:21, Rolf Kutz wrote: Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Try the package debsum, it is a tool to handle md5sums for installed packages Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf
Re: who owns the ports?
Well, finger is probably running through inetd... Either that or you are running that scanner detecter package that binds to every port known in the universe. Aaron On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Matthias, netstat -atp | less Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CMCC/IT d- s:+ a16 C++()$ UL$ P--- L$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)+ PE-(--) Y++ PGP t+++ !5 X-- R++ tv(+) b+(++) DI(+) D++ G+++ e-- h! !r y+++ --END GEEK CODE BLOCK-- On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
I find the netstat program to be much more useful and accurate than nmap when determining what ports are doing what on your system. For example: # netstat -nlp | grep LISTEN tcp0 0 0.0.0.0:515 0.0.0.0:* LISTEN 16891/lpd Waiting tcp0 0 192.168.24.1:1390.0.0.0:* LISTEN 11727/smbd tcp0 0 127.0.0.1:139 0.0.0.0:* LISTEN 11727/smbd tcp0 0 0.0.0.0:40496 0.0.0.0:* LISTEN 5855/licq tcp0 0 0.0.0.0:113 0.0.0.0:* LISTEN 336/oidentd snip It tells you what IP/port is bound, and the PID and name of the process using it. On occasion you will find an PID without a process name attached to it, but you can easily figure this out with a ps list :) If you start noticing major discrepancies between nmap and netstat (ex. nmap shows port 666 open but netstat doesn't) you may be in for a bit of trouble. Rootkits will change system binaries such as netstat, ps, ls, du, login, etc in order to hide certain processes. If netstat or any other critical binary has been compromised, then you maybe missing something in the output. This is a whole other matter, much more serious than a rogue fingerd ;) --Henry On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Maybe u r runnign portsentry? siaraX Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
* Matthias G. Imhof [EMAIL PROTECTED] [010207 15:32]: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? My immediate guess, upon seeing anything running on 31337, is that you've been "0wn3d", as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try "fuser 31337/tcp", maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. -- Brock Sides [EMAIL PROTECTED] The original plan [for GNOME] was to aim to make a desktop as good as the Macintosh, and we should not lower our ambition by making one merely as good as Windows. -- RMS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Thanks everyone for replying so quickly! Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. -- --Brad Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] I've had fun before. This isn't it. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
who owns the ports?
Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * **
Re: who owns the ports?
Well, finger is probably running through inetd... Either that or you are running that scanner detecter package that binds to every port known in the universe. Aaron On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias
Re: who owns the ports?
Hi, netstat is your friend, especially the -p option ;-) Regards, Chris Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- Christopher `Physicman' Bodenstein Open Source Free Software Developers' European Meeting Brussels 3 - 4 Feb. 2001 - http://www.osdem.org/ mailto:[EMAIL PROTECTED]
Re: who owns the ports?
Matthias, netstat -atp | less Regards, Alex. --- PGP/GPG Fingerprint: EFD1 AC6C 7ED5 E453 C367 AC7A B474 16E0 758D 7ED9 -BEGIN GEEK CODE BLOCK- Version: 3.12 GCS/CMCC/IT d- s:+ a16 C++()$ UL$ P--- L$ E+ W+(-) N+ o? K? w---() !O !M !V PS+(++)+ PE-(--) Y++ PGP t+++ !5 X-- R++ tv(+) b+(++) DI(+) D++ G+++ e-- h! !r y+++ --END GEEK CODE BLOCK-- On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
I find the netstat program to be much more useful and accurate than nmap when determining what ports are doing what on your system. For example: # netstat -nlp | grep LISTEN tcp0 0 0.0.0.0:515 0.0.0.0:* LISTEN 16891/lpd Waiting tcp0 0 192.168.24.1:1390.0.0.0:* LISTEN 11727/smbd tcp0 0 127.0.0.1:139 0.0.0.0:* LISTEN 11727/smbd tcp0 0 0.0.0.0:40496 0.0.0.0:* LISTEN 5855/licq tcp0 0 0.0.0.0:113 0.0.0.0:* LISTEN 336/oidentd snip It tells you what IP/port is bound, and the PID and name of the process using it. On occasion you will find an PID without a process name attached to it, but you can easily figure this out with a ps list :) If you start noticing major discrepancies between nmap and netstat (ex. nmap shows port 666 open but netstat doesn't) you may be in for a bit of trouble. Rootkits will change system binaries such as netstat, ps, ls, du, login, etc in order to hide certain processes. If netstat or any other critical binary has been compromised, then you maybe missing something in the output. This is a whole other matter, much more serious than a rogue fingerd ;) --Henry On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
Maybe u r runnign portsentry? siaraX Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * ** -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
* Matthias G. Imhof [EMAIL PROTECTED] [010207 15:32]: Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? My immediate guess, upon seeing anything running on 31337, is that you've been 0wn3d, as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try fuser 31337/tcp, maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. -- Brock Sides [EMAIL PROTECTED] The original plan [for GNOME] was to aim to make a desktop as good as the Macintosh, and we should not lower our ambition by making one merely as good as Windows. -- RMS
Re: who owns the ports?
Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Thanks everyone for replying so quickly! Matthias -- ** * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * **
Re: who owns the ports?
On Wednesday 07 February 2001 19:57, Tom Breza wrote: Maybe u r runnign portsentry? I dont think so, portsentry opens more ports! siaraX Performing strobe or nmap on my system, I get, e.g., the following list: 79/tcp openfinger 119/tcpopennntp 143/tcpopenimap2 540/tcpopenuucp 6667/tcp openirc 12345/tcp openNetBus 12346/tcp openNetBus 31337/tcp openElite However, lsof -i tcp:79 yields nothing. Similarly with the others. In addition, there should be no irc running, finger is commented from the inetd.conf, and so on. Why do these ports respond to strobe or nmap? Which process controlls them? Matthias -- * * * Matthias G.Imhof, Ph.D. phone: (540) 231 6004 * * Derring Hall 4044fax: (540) 231 3386 * * Virginia Techemail: [EMAIL PROTECTED] * * Blacksburg, VA 24061-0420 http://www.geol.vt.edu/profs/mgi * * There is no dark side of the moon really. Matter of fact it's all dark * * * -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. -- --Brad Bradley M. Alexander, CISSP | Co-Chairman, Beowulf System Admin/Security Specialist |NoVALUG/DCLUG Security SIG Winstar Telecom | [EMAIL PROTECTED] (703) 889-1049 | [EMAIL PROTECTED] I've had fun before. This isn't it.
