Thanks to all. Frankly, what's most worrisome to me is that 1025 appears open, where other ports are not:
nujoma:~# nmap -sS -vv localhost Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Host nujoma (127.0.0.1) appears to be up ... good. Initiating SYN Stealth Scan against nujoma (127.0.0.1) Adding open port 37/tcp Adding open port 111/tcp Adding open port 113/tcp Adding open port 512/tcp Adding open port 514/tcp Adding open port 1025/tcp Adding open port 13/tcp Adding open port 513/tcp Adding open port 515/tcp Adding open port 79/tcp Adding open port 22/tcp Adding open port 25/tcp Adding open port 9/tcp Adding open port 53/tcp The SYN Stealth Scan took 2 seconds to scan 1554 ports. Interesting ports on nujoma (127.0.0.1): (The 1540 ports scanned but not shown below are in state: closed) Port State Service 9/tcp open discard 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 79/tcp open finger 111/tcp open sunrpc 113/tcp open auth 512/tcp open exec 513/tcp open login 514/tcp open shell 515/tcp open printer 1025/tcp open listen why would 1025 be opened? ap ---------------------------------------------------------------------- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu On Mon, 24 May 2004, Jeff Bollinger wrote: > Andrew Perrin wrote: > > Yes, but stopping samba doesn't seem to close port 1025. It looks, from > > further investigation, like it's attempts (probably failed) to mount > > directories via nfs, which I don't like but am not terribly worried about: > > > > nujoma:/var/log# lsof -i TCP:1025 > > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > > rpc.mount 671 root 4u IPv4 2750 TCP *:1025 (LISTEN) > > rpc.mount 671 root 6u IPv4 13940 TCP > > (me, external interface):1025->user-24-214-178-146.knology.net:3821 > > (ESTABLISHED) > > rpc.mount 671 root 7u IPv4 17011 TCP > > (me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742 > > (ESTABLISHED) > > > > > > ---------------------------------------------------------------------- > > Andrew J Perrin - http://www.unc.edu/~aperrin > > Assistant Professor of Sociology, U of North Carolina, Chapel Hill > > [EMAIL PROTECTED] * andrew_perrin (at) unc.edu > > You're probably getting attacked with a remanant of the Sasser worm. It > attaches to port 1025/tcp and attempts to execute code. > > Jeff > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
