Monday, January 19, 2004 @ 9:16:09 PM Central Standard Time B> The first thing I'd do is run a 'netstat -anp |grep LISTEN' on the box in B> question. If these ports don't show up in netstat, but they do in nmap, B> you probably have a trojaned copy of netstat, a good indication that B> unwelcomed things are living on your box. B> If they do show up, you'll be able to see which processes are opening B> these ports. Usually this jogs memories and you'll remember that weird B> thing you installed because package A depends on it. B> Good luck! B> -Brian Hello, and a good day to all. Many Thanks to those who responded to me. I did some more checking, and came up with more weird info. I was able to track down the mystery port 690. This was for some 3rd party bs I tried to install to be used with the webmail server. I never got it to work, so I took it out of their. Port 690 lives no longer. I still have a couple mysteries though: First I ran nmap from a machine at my house on the 2 boxes in question at work, and came up with this: box 1 in question: showed correct ports + mystery port 1720 box 2 in question: showed correct ports + mystery port 1720 I then ran nmap from Box 1. localhost reported = correct ports. did not show the mystery 1720, but showed port 953 now. box 2 showed the correct reading, did not show mystery port I then ran nmap from box 2 localhost reported = correct ports, but showed port 953 now box 1 showed the proper ports. no mystery port 1720, or no 953 for the record, the correct ports are box 1 = 21, 22, 25, 53, 80, 110, 143 box 2 = 22, 53 I then tried: netstat -anp | grep LISTEN on the boxes in question: box 1 reported: 21 22 25 53 80 110 143 & 953 (says named is using 953) box 2 reported: 22 53 & 953 This is my first time ever running a name server. I am using bind. Is this 953 port legit? I went through the the logs on both boxes, and didn't see anything funny. Why is it that port 1720 shows up when I scan the boxes from my house, and it doesn't show up when I check them locally? Am I in trouble, or just being paranoid? Many Thanks, Robert (aka B_o_B) David Felix De Mars West Longitude 90' 15' 43" http://b-o-b.homelinux.com ********************************************************* Friday, January 16, 2004, 9:52:25 PM, you wrote: >> I work for our Internet related services. I like to use nmap to make >> sure I am running only the services I need. While nmap'n both these >> boxes today I noticed something I have not seen before. B> _______________________________________________ B> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota B> http://www.mn-linux.org tclug-list at mn-linux.org B> https://mailman.real-time.com/mailman/listinfo/tclug-list _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list