Hallo Liste ! bin gerade am Abdichten meines Systems - dank dieser Liste hab ich schon einige Schrauben zum drehen gefunden ... aber nmap zeigt mir einen seltsamen Dienst am laufen, der mir äußerst suspekt vorkommt. Was bitte schön ist blackjack auf Port 1025/udp ? Auch der unknown dienst auf Port 1024/udp ist mir verdächtig. Vielen Dank Gruß Uli Hier mal was nmap meldete: Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating SYN half-open stealth scan against localhost (127.0.0.1) Adding TCP port 25 (state open). Adding TCP port 119 (state open). Adding TCP port 80 (state open). Adding TCP port 110 (state open). Adding TCP port 23 (state open). Adding TCP port 53 (state open). Adding TCP port 111 (state open). Adding TCP port 113 (state open). Adding TCP port 8080 (state open). Adding TCP port 139 (state open). The SYN scan took 3 seconds to scan 1541 ports. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 10 seconds to scan 1541 ports. For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled Interesting ports on localhost (127.0.0.1): (The 3063 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 53/udp open domain 67/udp open bootps 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 111/udp open sunrpc 113/tcp open auth 119/tcp open nntp 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 161/udp open snmp 1024/udp open unknown 1025/udp open blackjack 3130/udp open squid-ipc 8080/tcp open http-proxy TCP Sequence Prediction: Class=random positive increments Difficulty=6946651 (Good luck!) Sequence numbers: D21ADDF5 D21ADDF5 D15DB363 D15DB363 D24C7F62 D24C7F62 Remote operating system guess: Linux 2.1.122 - 2.2.14 Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds ___________________________ Disclaimer: The opinions expressed here are not those of my employer, my wife, my church, or myself... But they are the opinions of Elvis as revealed to me through the medium of my pet hamster, Lee Harvey Oswald...
The used language in this list is English: Please repeat your question in English for all the people not understanding German. regards Guido On 02-Dec-00 U. Schneider wrote:
Hallo Liste !
bin gerade am Abdichten meines Systems - dank dieser Liste hab ich schon einige Schrauben zum drehen gefunden ... aber nmap zeigt mir einen seltsamen Dienst am laufen, der mir �u�erst suspekt vorkommt. Was bitte sch�n ist blackjack auf Port 1025/udp ? Auch der unknown dienst auf Port 1024/udp ist mir verd�chtig.
Vielen Dank Gru� Uli
Hier mal was nmap meldete:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating SYN half-open stealth scan against localhost (127.0.0.1) Adding TCP port 25 (state open). Adding TCP port 119 (state open). Adding TCP port 80 (state open). Adding TCP port 110 (state open). Adding TCP port 23 (state open). Adding TCP port 53 (state open). Adding TCP port 111 (state open). Adding TCP port 113 (state open). Adding TCP port 8080 (state open). Adding TCP port 139 (state open). The SYN scan took 3 seconds to scan 1541 ports. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 10 seconds to scan 1541 ports. For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled Interesting ports on localhost (127.0.0.1): (The 3063 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 53/udp open domain 67/udp open bootps 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 111/udp open sunrpc 113/tcp open auth 119/tcp open nntp 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 161/udp open snmp 1024/udp open unknown 1025/udp open blackjack 3130/udp open squid-ipc 8080/tcp open http-proxy
TCP Sequence Prediction: Class=random positive increments Difficulty=6946651 (Good luck!)
Sequence numbers: D21ADDF5 D21ADDF5 D15DB363 D15DB363 D24C7F62 D24C7F62 Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds
___________________________ Disclaimer: The opinions expressed here are not those of my employer, my wife, my church, or myself... But they are the opinions of Elvis as revealed to me through the medium of my pet hamster, Lee Harvey Oswald...
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
------------------------------------------------ Dipl.-Met. Guido Tschakert E-Mail: guido.tschakert@uni-bonn.de Meteorologisches Institut der Universitaet Bonn Auf dem Huegel 20 53121 Bonn Tel.: ++49 228 / 73 - 5101 ------------------------------------------------
Here's my translation: "I'm in the process of hardening my system - thanks to this list I've already found several screws to tighten ... but nmap shows me an unusual service that's running that looks highly suspicious to me. What is "blackjack" on port 1025/udp? Also suspicious is the unknown service on port 1024/udp?" Uli: To identify what these services are you can try running lsof (as root) on the system; it should be able to tell you which processes have these ports open: lsof -iUDP:1024 -iUDP:1025 man 8 lsof for more info. Hope this helps, John Ritchie On Sat, 2 Dec 2000, U. Schneider wrote:
Hallo Liste !
bin gerade am Abdichten meines Systems - dank dieser Liste hab ich schon einige Schrauben zum drehen gefunden ... aber nmap zeigt mir einen seltsamen Dienst am laufen, der mir �u�erst suspekt vorkommt. Was bitte sch�n ist blackjack auf Port 1025/udp ? Auch der unknown dienst auf Port 1024/udp ist mir verd�chtig.
Vielen Dank Gru� Uli
Hier mal was nmap meldete:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating SYN half-open stealth scan against localhost (127.0.0.1) Adding TCP port 25 (state open). Adding TCP port 119 (state open). Adding TCP port 80 (state open). Adding TCP port 110 (state open). Adding TCP port 23 (state open). Adding TCP port 53 (state open). Adding TCP port 111 (state open). Adding TCP port 113 (state open). Adding TCP port 8080 (state open). Adding TCP port 139 (state open). The SYN scan took 3 seconds to scan 1541 ports. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 10 seconds to scan 1541 ports. For OSScan assuming that port 23 is open and port 1 is closed and neither are firewalled Interesting ports on localhost (127.0.0.1): (The 3063 ports scanned but not shown below are in state: closed) Port State Service 23/tcp open telnet 25/tcp open smtp 53/tcp open domain 53/udp open domain 67/udp open bootps 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 111/udp open sunrpc 113/tcp open auth 119/tcp open nntp 137/udp open netbios-ns 138/udp open netbios-dgm 139/tcp open netbios-ssn 161/udp open snmp 1024/udp open unknown 1025/udp open blackjack 3130/udp open squid-ipc 8080/tcp open http-proxy
TCP Sequence Prediction: Class=random positive increments Difficulty=6946651 (Good luck!)
Sequence numbers: D21ADDF5 D21ADDF5 D15DB363 D15DB363 D24C7F62 D24C7F62 Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds
___________________________ Disclaimer: The opinions expressed here are not those of my employer, my wife, my church, or myself... But they are the opinions of Elvis as revealed to me through the medium of my pet hamster, Lee Harvey Oswald...
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, On Sat, 02 Dec 2000, you wrote:
"I'm in the process of hardening my system -
Good luck. You still have a way to go ... ;-)
thanks to this list I've already found several screws to tighten ... but nmap shows me an unusual service that's running that looks highly suspicious to me. What is "blackjack" on port 1025/udp? Also suspicious is the unknown service on port 1024/udp?"
Try (as root) "lsof -i" or "netstat -ap" to find processes allocating tcp/udp ports. My guess is that it is either a dynamically allocated rpc service, or some server process unable to bind to a privileged port an thus using the first unprivileged (1025) port. On AIX systems smux/network blackjack services are often started by default. They should not be on a Linux system, though. There are several trojan horses known to also bind to port 1025, namely NetSpy, Maverick's Matrix, and RemoteStorm. If you really want to tighten your system, consider the majority of the remaining open ports as _huge_ security risks. Most of them are either unnecessary (telnet can easily be replaced with ssh, and what's the point in running both SMTP and POP servers?) Add to that name service, web, portmap, samba, snmp and you easily turn your machine into cracker's paradise ... ;-) At least services like these should be decentralized and moved to dedicated machines. One single exploited security hole will compromise all your services.
This is what map returns:
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating SYN half-open stealth scan against localhost (127.0.0.1) Adding TCP port 25 (state open). Adding TCP port 119 (state open). Adding TCP port 80 (state open). Adding TCP port 110 (state open). Adding TCP port 23 (state open). Adding TCP port 53 (state open). Adding TCP port 111 (state open). Adding TCP port 113 (state open). Adding TCP port 8080 (state open). Adding TCP port 139 (state open). ... snip ...
Regards, Martin -- Martin Leweling Institut fuer Planetologie, WWU Muenster Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany E-Mail (work): lewelin@uni-muenster.de
Dear list, would it be possible to limit the network bandwith of specific processes? I'm looking for an effect similar to what nice does for processor usage. The reason I ask this, is that I have some machines on a low capacity network, and sometimes one or a few large file transfers monopolize all bandwith, resulting in DoS for other services (ssh for example becomes unusable because of teh long delay in betwee a key press and the shell displaying the character that was typed). What I would like to do is reduce the bandwith consumed by these file transfers so that at other network traffic like ssh will continue to work properly. Does anybody have an idea? Thanks! Yuri. -------------------------------------------------------------------------- drs. Yuri Robbers phone : +31-71-527-4966 Leiden University fax : +31-71-527-4900 Institute for Theoretical Biology email : robbers@rulsfb.leidenuniv.nl Kaiserstraat 63 2311 GP Leiden PGP 5.0 public key available: the Netherlands Check your favourite hkp server. --------------------------------------------------------------------------
On Sat, 2 Dec 2000 16:06:19 +0100, you wrote:
what's the point in running both SMTP and POP servers?)
Why is it a bad thing? I think it's normal... You have all mail services centralized in one machine. Not so bad. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ** RoMaN SoFt / LLFB ** roman@madrid.com http://pagina.de/romansoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Uups - sorry for posting in the wrong language. Thanks for the translation .... :-) Hmm - i have to say i´m using some kind of "virgin" server at home which is now being processed to a kind of harder server. But i´m just at the beginning. Thanks at all for your answers. Bye Uli
participants (6)
-
gtschakert@gmx.de
-
John Ritchie
-
Martin Leweling
-
RoMaN SoFt / LLFB!!
-
U. Schneider
-
Yuri Robbers