Hi, running nmap lately on my host revealed some open ports which I couldn't really identify: 1) port 1987 with service named something like "trsrb-p1" (don't remember the name exactly, since the open port vanished after a while) 2) port 1024 with service "unknown" What are those ports used for? Especially the first one with that strange name I have never seen so far... I coudln't find any hints in /etc/inetd.conf nor in /etc/services. Regards, Marko
running nmap lately on my host revealed some open ports which I couldn't really identify:
1) port 1987 with service named something like "trsrb-p1" (don't remember the name exactly, since the open port vanished after a while)
2) port 1024 with service "unknown" If you find "unknown" ports open, try "netstat -anp" to find out. Maybe this should be included in the FAQ? I coudln't find any hints in /etc/inetd.conf nor in /etc/services. Forget /etc/services for "real" information. It is just a lookup table for names common services, but ports > 1024 can be opened by any user and any application, and therefore the information is quite useless. Especially because the port range from 1024 .. 4999 is used for client connections (for 2.2.x kernels, 2.4.x use >32000)
hth Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Better do some intrusion detection. It could be a root shell or trojan bound to that port that the intruder removed after you scanned yourself. Also lsof and netstat should help you find which user owns whatever proces is bound to that port. On Mon, 30 Apr 2001, Marko Kaening wrote:
Hi,
running nmap lately on my host revealed some open ports which I couldn't really identify:
1) port 1987 with service named something like "trsrb-p1" (don't remember the name exactly, since the open port vanished after a while)
2) port 1024 with service "unknown"
What are those ports used for? Especially the first one with that strange name I have never seen so far... I coudln't find any hints in /etc/inetd.conf nor in /etc/services.
Regards, Marko
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Since this seems to be such a FAQ, here's a script that lets you search the known-port list by a port number or string. E.g., $ ./port 666 mdqs 666/tcp mdqs 666/udp doom 666/tcp doom Id Software doom 666/udp doom Id Software $ ./port -s imap imap 143/tcp Internet Message Access Protocol : imaps 993/udp imap4 protocol over TLS/SSL Save the following to file, chmod +x it, and change the known_ports variable to whatever's appropriate. Then run ./port -u to create the known-ports file with all of the cruft removed. Enjoy. ------------------------ port ------------------------------------- #!/usr/bin/bash # ckm # searches the known-port list for either a port number or # a string. The 'u' option updates $known_ports from # http://www.isi.edu/in-notes/iana/assignments/port-numbers # todo: make the grep more flexible (pass it a regex, additional options) # add an fuser option to show what processes are using the specified port # change this known_ports=$HOME/doc/port-numbers update_url="http://www.isi.edu/in-notes/iana/assignments/port-numbers" usage="Usage: port [-s|-u] string | port number" if [ "$#" = 0 ]; then echo $usage exit 1 fi while getopts "hsu" opt; do case $opt in s ) have_string=true ;; u ) lynx -source $update_url | egrep -i '^.*[0-9]\/' >| $known_ports exit "$?" ;; * ) echo "$usage" exit 1 ;; esac done if [ ! -f "$known_ports" ]; then echo "Create $known_ports with ./port -u first" exit 1 fi shift $(($OPTIND -1)) if [ ! "$have_string" = true ]; then cat $known_ports | grep "\b$1/" exit_status="$?" else string="$@" cat $known_ports | grep -Fi $string exit_status="$?" fi exit "$exit_status"
participants (4)
-
Christopher Mahmood -
Marko Kaening -
Markus Gaugusch -
semat