LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-15-2004, 04:42 PM   #1
sharpie
Member
 
Registered: Jan 2004
Location: California
Distribution: Slackware 10.1
Posts: 190

Rep: Reputation: 30
TCP port 603 open


I ran a portscan on myself and it seems I have TCP port 603 open. I've tried finding out any services running on this port by checking /etc/services and searching the web, but I can't find anything. I don't think it was open before, do you think something's wrong?
 
Old 04-15-2004, 06:02 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Hard to say without knowing more. Try using netstat -pantu or lsof -i to see what application/process is utilizing that port.
 
Old 04-15-2004, 09:42 PM   #3
sharpie
Member
 
Registered: Jan 2004
Location: California
Distribution: Slackware 10.1
Posts: 190

Original Poster
Rep: Reputation: 30
Here is the line from netstat -pantu:

Code:
tcp        0      0 0.0.0.0:603             0.0.0.0:*               LISTEN
And lsof -i:

Code:
inetd     1699 root    4u  IPv4   1374       TCP *:603 (LISTEN)
I can't make out anything from it... Can you?
 
Old 04-15-2004, 11:18 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The netstat output doesn't really tell us much, but lsof -i does. First, it tells us that the port is being opened by inetd. Inetd acts as kind of like a intermediate server, where a given service is run through the inetd server. So instead of having a individual daemon listening at that port for connections, inetd will do the listening and then when that specific service is required it will pass the connection off to the specific daemon (hence the nickname "Inetd superServer"). That way you don't need to have multiple daemons listening at the same time and wasting resources.

Now, go to the /etc/inted.conf file and look for any uncommented services that either specifically list port 603 or that aren't readily apparent as to what they do.

Also are you running any kind of intrusion detection software? TCP port 603 is reserved for IDXP or Intrusion Detection Exchange protocol, which is used by various IDS applications to communicate with each other or with something like a central logging server. However, just because a certain port number is normally used by a service or protocol doesn't guarantee that's what is actually running.
 
Old 04-21-2004, 04:42 AM   #5
sharpie
Member
 
Registered: Jan 2004
Location: California
Distribution: Slackware 10.1
Posts: 190

Original Poster
Rep: Reputation: 30
I don't have any kind of IDS software running. I checked my inetd.conf file and found this line uncommented at the end:

Code:
sgi_fam/1-2 stream rpc/tcp wait root /usr/sbin/famd famd
I commented it and now the port is closed.

It's called the File Alteration Monitor. Here is the URL. On the site:

Quote:
What is FAM?

FAM, the File Alteration Monitor, provides an API that applications can use to be notified when specific files or directories are changed.

FAM comes in two parts: fam, the daemon that listens for requests and delivers notification, and libfam, a library that client applications can use to communicate with fam.
I'm guessing some program installed it, as I had previously commented out every line in my inetd.conf. Do you have any idea of what program might have put it there?

Last edited by sharpie; 04-21-2004 at 04:50 AM.
 
Old 04-21-2004, 08:03 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The only things I can think of that use sgi_fam are some of the GUI file managers (like Nautilus) and NFS/RPC stuff. Normally I would say when you think something had been modified, immediately use the stat command to see if you can determine the last modification time/date. Since you've already modified it, that won't do much good now though.

SGI_FAM is a pretty common thing with most distros and is turned on by default in many of them. If you are paranoid about it, you can get an md5sum of the famd binary and compare that to a known good version.
 
Old 04-21-2004, 09:48 PM   #7
sharpie
Member
 
Registered: Jan 2004
Location: California
Distribution: Slackware 10.1
Posts: 190

Original Poster
Rep: Reputation: 30
I recently installed dropline-gnome under Slackware, I have a feeling that installed it.

Thanks for all the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
TCP Port 53 Open - How to enable UDP 53? stardotstar Linux - Networking 6 03-16-2005 04:49 AM
Open tcp port & mails that i do not send. jrfly Linux - General 1 02-02-2005 09:02 PM
does CUPS need internet and open TCP port? servnov Linux - Newbie 1 11-14-2004 11:45 AM
How shoul I open a TCP port? chtthies Linux - Newbie 1 11-12-2003 03:50 PM
How to know some more about an open TCP port? yuzuohong Linux - General 1 05-12-2003 09:42 PM


All times are GMT -5. The time now is 09:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration