Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] dienst blackjack?

On Sat, 02 Dec 2000, you wrote:

>"I'm in the process of hardening my system -

Good luck. You still have a way to go ... ;-)

>thanks to this list I've
>already found several screws to tighten ... but nmap shows me an unusual
>service that's running that looks highly suspicious to me.
>What is "blackjack" on port 1025/udp? Also suspicious is the
>unknown service on port 1024/udp?"

Try (as root) "lsof -i" or "netstat -ap" to find processes allocating
tcp/udp ports. My guess is that it is either a dynamically allocated
rpc service, or some server process unable to bind to a
privileged port an thus using the first unprivileged (1025) port.

On AIX systems smux/network blackjack services are often started by
default. They should not be on a Linux system, though.

There are several trojan horses known to also bind to port
1025, namely NetSpy, Maverick's Matrix, and RemoteStorm.

If you really want to tighten your system, consider the majority of the
remaining open ports as _huge_ security risks. Most of them are
either unnecessary (telnet can easily be replaced with ssh, and
what's the point in running both SMTP and POP servers?)
Add to that name service, web, portmap, samba, snmp and you
easily turn your machine into cracker's paradise ... ;-)

At least services like these should be decentralized and moved
to dedicated machines. One single exploited security hole
will compromise all your services.

>This is what map returns:
> Starting nmap V. 2.53 by fyodor@xxxxxxxxxxxx ( )
> Host localhost ( appears to be up ... good.
> Initiating SYN half-open stealth scan against localhost (
> Adding TCP port 25 (state open).
> Adding TCP port 119 (state open).
> Adding TCP port 80 (state open).
> Adding TCP port 110 (state open).
> Adding TCP port 23 (state open).
> Adding TCP port 53 (state open).
> Adding TCP port 111 (state open).
> Adding TCP port 113 (state open).
> Adding TCP port 8080 (state open).
> Adding TCP port 139 (state open).
> ... snip ...

Martin Leweling
Institut fuer Planetologie, WWU Muenster
Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany
E-Mail (work): lewelin@xxxxxxxxxxxxxxx

< Previous Next >