Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
Re: [suse-security] 32770/tcp open sometimes-rpc3
Hi,

On Wednesday 18 July 2001 20:18, Timon Schroeter wrote:

> All
> machines are completely accessible from the outside (no firewall) at all
> times.
>
> Under these conditions, is "32770/tcp open sometimes-rpc3" something to
> worry about?

If you don't know which program is listening on this port, it sure is
something to worry about. Hmm, this has been answered so many
times before, but it's still not in the FAQ.

(a) To identify the process binding to this port, issue this command (as root)
# lsof -i tcp:32770

You could also use
# netstat -anpt | grep 32770

> How can I disable it?

Don't run the process identified in (a) or, if this isn't possible,
use a firewall to block the port.

> I tried (among other things) deinstalling the package n portmapper, but
> this made no
> difference.

Names of high ports (> 1023) do not mean much, as any process can
open these unprivileged ports. netstat only takes the names listed in
/etc/services to do a rough translation, but it has no built-in AI capability.
Btw. in my /etc/services file port 32770 is called filenet-nch, so this should
prove that the name doesn't really mean anything.

I would also suggest to scan your box from a different machine using
nmap. If it shows an open remote port which netstat does not see locally
THEN you have a much bigger problem.

>
> Timon

Regards,
Martin
--
Martin Leweling
Institut fuer Planetologie, WWU Muenster
E-Mail (work): lewelin@xxxxxxxxxxxxxxx

< Previous Next >
References