[TCLUG] mystery tcp ports appear!! Film at 11'

Mon Jan 19 21:38:10 CST 2004

Monday, January 19, 2004   @   9:16:09 PM Central Standard Time

B> The first thing I'd do is run a 'netstat -anp |grep LISTEN' on the box in
B> question.  If these ports don't show up in netstat, but they do in nmap,
B> you probably have a trojaned copy of netstat, a good indication that
B> unwelcomed things are living on your box.

B> If they do show up, you'll be able to see which processes are opening
B> these ports.  Usually this jogs memories and you'll remember that weird
B> thing you installed because package A depends on it.

B> Good luck!

B> -Brian

Hello, and a good day to all.  Many Thanks to those who responded to me.
I did some more checking, and came up with more weird info.

I was able to track down the mystery port 690.  This was for some 3rd party bs I tried to install to be used with the webmail server.  I never got it to work, so I took it out of their.  Port 690 lives no longer.

I still have a couple mysteries though:

First I ran nmap from a machine at my house on the 2 boxes in question
at work, and came up with this:
box 1 in question:
showed correct ports + mystery port 1720
box 2 in question:
showed correct ports + mystery port 1720

I then ran nmap from Box 1.
localhost reported = correct ports.  did not show the mystery 1720, but showed port 953 now.
box 2 
showed the correct reading, did not show mystery port

I then ran nmap from box 2
localhost reported = correct ports, but showed port 953 now
box 1
showed the proper ports.  no mystery port 1720, or no 953

for the record, the correct ports are
box 1 = 21, 22, 25, 53, 80, 110, 143
box 2 = 22, 53

I then tried:
netstat -anp | grep LISTEN 
on the boxes in question:
box 1 reported: 21 22 25 53 80 110 143 & 953 (says named is using 953)
box 2 reported: 22 53 & 953

This is my first time ever running a name server.  I am using bind.  Is this 953 port legit?

I went through the the logs on both boxes, and didn't see anything funny.  

Why is it that port 1720 shows up when I scan the boxes from my house, and it doesn't show up when I check them locally?

Am I in trouble, or just being paranoid?

Many Thanks,

Robert (aka B_o_B) David Felix De Mars
West Longitude 90' 15' 43"
http://b-o-b.homelinux.com

*********************************************************

Friday, January 16, 2004, 9:52:25 PM, you wrote:

>> I work for our Internet related services.  I like to use nmap to make
>> sure I am running only the services I need.  While nmap'n both these
>> boxes today I noticed something I have not seen before.

B> _______________________________________________
B> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
B> http://www.mn-linux.org tclug-list at mn-linux.org
B> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list