On Jan 19, 2004, at 9:18 PM, B_o_B wrote: > Monday, January 19, 2004 @ 9:16:09 PM Central Standard Time > > B> The first thing I'd do is run a 'netstat -anp |grep LISTEN' on the > box in > B> question. If these ports don't show up in netstat, but they do in > nmap, > B> you probably have a trojaned copy of netstat, a good indication that > B> unwelcomed things are living on your box. > > B> If they do show up, you'll be able to see which processes are > opening > B> these ports. Usually this jogs memories and you'll remember that > weird > B> thing you installed because package A depends on it. > > B> Good luck! > > B> -Brian > > Hello, and a good day to all. Many Thanks to those who responded to > me. > I did some more checking, and came up with more weird info. > > I was able to track down the mystery port 690. This was for some 3rd > party bs I tried to install to be used with the webmail server. I > never got it to work, so I took it out of their. Port 690 lives no > longer. > > I still have a couple mysteries though: > > First I ran nmap from a machine at my house on the 2 boxes in question > at work, and came up with this: > box 1 in question: > showed correct ports + mystery port 1720 > box 2 in question: > showed correct ports + mystery port 1720 > the BIND control channel (for rndc) often runs on port 953. the interfaces that it's available on are specified in your configuration. port 1720 is often used for h.323, if you have some gateway which is capable of doing the appropriate fixups for h.323 messages through NAT, etc. you might want to check on this. especially in light of the recently disclosed h.323 vulnerabilities. > I then ran nmap from Box 1. > localhost reported = correct ports. did not show the mystery 1720, > but showed port 953 now. > box 2 > showed the correct reading, did not show mystery port > > I then ran nmap from box 2 > localhost reported = correct ports, but showed port 953 now > box 1 > showed the proper ports. no mystery port 1720, or no 953 > > for the record, the correct ports are > box 1 = 21, 22, 25, 53, 80, 110, 143 > box 2 = 22, 53 > > I then tried: > netstat -anp | grep LISTEN > on the boxes in question: > box 1 reported: 21 22 25 53 80 110 143 & 953 (says named is using 953) > box 2 reported: 22 53 & 953 > > This is my first time ever running a name server. I am using bind. > Is this 953 port legit? > > I went through the the logs on both boxes, and didn't see anything > funny. > > Why is it that port 1720 shows up when I scan the boxes from my house, > and it doesn't show up when I check them locally? > > Am I in trouble, or just being paranoid? > > Many Thanks, > > Robert (aka B_o_B) David Felix De Mars > West Longitude 90' 15' 43" > http://b-o-b.homelinux.com > > ********************************************************* > > Friday, January 16, 2004, 9:52:25 PM, you wrote: > >>> I work for our Internet related services. I like to use nmap to make >>> sure I am running only the services I need. While nmap'n both these >>> boxes today I noticed something I have not seen before. > > > > B> _______________________________________________ > B> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > B> http://www.mn-linux.org tclug-list at mn-linux.org > B> https://mailman.real-time.com/mailman/listinfo/tclug-list > > > _______________________________________________ > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota > http://www.mn-linux.org tclug-list at mn-linux.org > https://mailman.real-time.com/mailman/listinfo/tclug-list > -- steve ulrich sulrich at botwerks.org PGP: 8D0B 0EE9 E700 A6CF ABA7 AE5F 4FD4 07C9 133B FAFC _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list