Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] ROOTKIT ?
  • From: MALDENER.de@xxxxxxxxxxx (Michael Maldener)
  • Date: Sat, 8 Nov 2003 13:14:57 +0100
  • Message-id: <200311081314.57593.MALDENER.de@xxxxxxxxxxx>
Am Freitag, 7. November 2003 00:03 schrieb Sturgis, Grant:
> What does:
>
> netstat -anp|grep LISTEN
>
> say?
Hello Grant, thank you;)
When I am offline:

rose:~ # netstat -anp|grep LISTEN
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
984/rpc.statd
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
1417/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
938/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
1617/X
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
1095/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1583/sendmail: acce
tcp 0 0 :::22 :::* LISTEN
1265/sshd
unix 2 [ ACC ] STREAM LISTENING 3153 1215/smpppd
/var/run/smpppd/control
unix 2 [ ACC ] STREAM LISTENING 3156 1215/smpppd
/var/run/smpppd/ifcfg-dsl0
unix 2 [ ACC ] STREAM LISTENING 1380 809/resmgrd
/var/run/.resmgr_socket
unix 2 [ ACC ] STREAM LISTENING 11478 1684/kdeinit: dcops
/tmp/.ICE-unix/dcop1684-1068293292
unix 2 [ ACC ] STREAM LISTENING 11646 1713/kdeinit: ksmse
/tmp/.ICE-unix/1713
unix 2 [ ACC ] STREAM LISTENING 11017 1617/X
/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 11472 1681/kdeinit: Runni
/tmp/ksocket-ja/kdeinit-:0
unix 2 [ ACC ] STREAM LISTENING 11606 1706/artsd
/tmp/mcop-ja/rose_maldener_net-06aa-3facdcb4
unix 2 [ ACC ] STREAM LISTENING 5597 1583/sendmail: acce
/var/run/sendmail/control
unix 2 [ ACC ] STREAM LISTENING 4498 1529/nscd
/var/run/.nscd_socket
unix 2 [ ACC ] STREAM LISTENING 11501 1687/kdeinit: klaun
/tmp/ksocket-ja/klauncherP47EXb.slave-socket
rose:~ #
>
-----------------------------------------------------
When I am online:

rose:~ #
rose:~ # netstat -anp|grep LISTEN
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
984/rpc.statd
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
1417/rpc.mountd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
938/portmap
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
1617/X
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
1095/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
1583/sendmail: acce
tcp 0 0 :::22 :::* LISTEN
1265/sshd
unix 2 [ ACC ] STREAM LISTENING 3153 1215/smpppd
/var/run/smpppd/control
unix 2 [ ACC ] STREAM LISTENING 3156 1215/smpppd
/var/run/smpppd/ifcfg-dsl0
unix 2 [ ACC ] STREAM LISTENING 1380 809/resmgrd
/var/run/.resmgr_socket
unix 2 [ ACC ] STREAM LISTENING 11478 1684/kdeinit: dcops
/tmp/.ICE-unix/dcop1684-1068293292
unix 2 [ ACC ] STREAM LISTENING 11646 1713/kdeinit: ksmse
/tmp/.ICE-unix/1713
unix 2 [ ACC ] STREAM LISTENING 11017 1617/X
/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 11472 1681/kdeinit: Runni
/tmp/ksocket-ja/kdeinit-:0
unix 2 [ ACC ] STREAM LISTENING 11606 1706/artsd
/tmp/mcop-ja/rose_maldener_net-06aa-3facdcb4
unix 2 [ ACC ] STREAM LISTENING 5597 1583/sendmail: acce
/var/run/sendmail/control
unix 2 [ ACC ] STREAM LISTENING 4498 1529/nscd
/var/run/.nscd_socket
unix 2 [ ACC ] STREAM LISTENING 11501 1687/kdeinit: klaun
/tmp/ksocket-ja/klauncherP47EXb.slave-socket
rose:~ #
> Grant
>
> -----Original Message-----
> From: Michael Maldener [mailto:MALDENER.de@xxxxxxxxxxx]
> Sent: Thursday, November 06, 2003 3:57 PM
> To: suse-security@xxxxxxxx
> Subject: [suse-security] ROOTKIT ?
>
>
> Hallo Linux-Friends,
> I scanned my own box (my own dynamic IP) when I was online with:
> netcat -v -z 80.131.118.62 1-65535
> p5083763E.dip.t-dialin.net [80.131.118.62] 33352 (?) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 32769 (filenet-rpc) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 32768 (filenet-tms) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 6000 (?) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 631 (ipp) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 111 (sunrpc) open
> p5083763E.dip.t-dialin.net [80.131.118.62] 22 (ssh) open
>
> And now I am afraid not be alone on my box !?
>
> What could I do now to close the unwanted ports?
>
> I took a fresh new /etc/services from
> www.iana.org/assignments on my system.
> rose:~ # grep '6000' /etc/services
> ....
> x11 6000-6063/tcp X Window System
> x11 6000-6063/udp X Window System
> ...
> rose:~ #
> But why the port 6000 is not shown by netcat? only a ?
> Although it is in my /etc/services!
> Is this port necessary for a local machine, when I dont want X-forwarding?
>
> for ipp I have to look how? to deactivate this in cups?
>
> What can i do, to find out what is behind
> 33352 (?) open
> 32769 (filenet-rpc) open
> 32768 (filenet-tms) open
>
> ____________________________________
> The same thing when I was yesterday offline:
>
> 46837 (?) open
> 32769 (filenet-rpc) open
> 32768 (filenet-tms) open
> 6000 (x11) open
> 631 (ipp) open
> 111 (sunrpc) open
> 80 (http) open
> 22 (ssh) open
>
> Best Regards and thank you in advance from Mick ; ~ {o} under shock
> Now I do logout and go to sleep.
> --
> # MfG Michael Maldener + Das beste Linux ist die Pluralitaet aller Linuxica
> ;)
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
> This electronic message transmission is a PRIVATE communication which
> contains information which may be confidential or privileged. The
> information is intended to be for the use of the individual or entity named
> above. If you are not the intended recipient, please be aware that any
> disclosure, copying, distribution or use of the contents of this
> information is prohibited. Please notify the sender of the delivery error
> by replying to this message, or notify us by telephone (877-633-2436, ext.
> 0), and then delete it from your system.

--
# MfG Michael Maldener + Das beste Linux ist die Pluralitaet aller Linuxica ;)

< Previous Next >
References