LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 01-26-2009, 02:03 AM   #1
katrok
LQ Newbie
 
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23

Rep: Reputation: 15
Unknown service


hi all, I need to check and block unknown service on my gateway box...

I don;t know what it is, when I try...
Code:
[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown 
43176/tcp open  unknown
[root@gwbox ~]# chkconfig --list
ConsoleKit      0:off   1:off   2:on    3:on    4:on    5:on    6:off
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off
bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off
btseed          0:off   1:off   2:off   3:off   4:off   5:off   6:off
bttrack         0:off   1:off   2:off   3:off   4:off   5:off   6:off
capi            0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off
dc_client       0:off   1:off   2:off   3:off   4:off   5:off   6:off
dc_server       0:off   1:off   2:off   3:off   4:off   5:off   6:off
dnsmasq         0:off   1:off   2:on    3:on    4:on    5:on    6:off
dund            0:off   1:off   2:off   3:off   4:off   5:off   6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
fuse            0:off   1:off   2:off   3:on    4:on    5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:off   6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irda            0:off   1:off   2:off   3:off   4:off   5:off   6:off
irqbalance      0:off   1:off   2:off   3:on    4:on    5:on    6:off
isdn            0:off   1:off   2:on    3:on    4:on    5:on    6:off
kannel          0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
lirc            0:off   1:off   2:off   3:off   4:off   5:off   6:off
lm_sensors      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:on    3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:off   6:off
nasd            0:off   1:off   2:off   3:off   4:off   5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
nmb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pand            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcbind         0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcsvcgssd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
smartd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
smb             0:off   1:off   2:on    3:on    4:on    5:on    6:off
smolt           0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
squid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:off   2:off   3:on    4:on    5:on    6:off
vsftpd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
winbind         0:off   1:off   2:off   3:off   4:off   5:off   6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yum-updatesd    0:off   1:off   2:off   3:off   4:off   5:off   6:off
Everytime I reboot my box.. it on different port


how I can BLOCK/DENY it, I don't know what service it

help
 
Old 01-26-2009, 02:08 AM   #2
katrok
LQ Newbie
 
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23

Original Poster
Rep: Reputation: 15
Re: unknown service

now after I reboot, I scan again, it changed on others port

[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown
51585/tcp open unknown

what is this (service) and how I know what service is, and how to block it????

thanks in advance
 
Old 01-26-2009, 09:26 AM   #3
rweaver
Senior Member
 
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 163Reputation: 163
Quote:
Originally Posted by katrok View Post
now after I reboot, I scan again, it changed on others port

[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown
51585/tcp open unknown

what is this (service) and how I know what service is, and how to block it????

thanks in advance
Do a "netstat -pan" and lets examine the output of that.
 
Old 01-31-2009, 12:23 PM   #4
katrok
LQ Newbie
 
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by rweaver View Post
Do a "netstat -pan" and lets examine the output of that.
here the output:
Code:
[root@gwbox ~]# nmap -p 1-65355 gwbox|grep unknown
38954/tcp open  unknown
[root@gwbox ~]# nmap -p 1-65355 localhost|grep unknown
38954/tcp open  unknown
[root@gwbox ~]# 

[root@gwbox ~]# netstat -vat|grep 38954
tcp        0      0 *:38954                     *:*                         LISTEN      

[root@gwbox ~]# netstat -pan|grep 38954
tcp        0      0 0.0.0.0:38954               0.0.0.0:*                   LISTEN      1836/rpc.statd
rpc.statd <<< thanks in advance rweaver
 
Old 01-31-2009, 08:32 PM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Is that port exposed to the internet? Can you scan from another machine on the LAN and then from outside the LAN?

Also, are you running NFS on the LAN?

Last edited by unixfool; 01-31-2009 at 08:35 PM.
 
Old 02-04-2009, 09:50 PM   #6
katrok
LQ Newbie
 
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unixfool View Post
Is that port exposed to the internet? Can you scan from another machine on the LAN and then from outside the LAN?
it shown on localhost (gwbox) and from other comp (LAN), from outside LAN I never test it...

Quote:
Originally Posted by unixfool View Post
Also, are you running NFS on the LAN?
No I'm not running NFS, you can see list of my service up this post

it true my firewall allow NFS port, but not this port!!!! and I'm too noob to know what it's it

Code:
[root@gwbox ~]# nmap -p 1-65355 localhost

Starting Nmap 4.52 ( http://insecure.org ) at 2009-02-05 09:36 WIT
Interesting ports on gwbox.warnet.lan (127.0.0.1):
Not shown: 65342 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
3128/tcp  open  squid-http
58571/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 20.626 seconds
[root@gwbox ~]# chkconfig --list
ConsoleKit      0:off   1:off   2:on    3:on    4:on    5:on    6:off
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
acpid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off
atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off
auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off
avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off
avgd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
bluetooth       0:off   1:off   2:off   3:off   4:off   5:off   6:off
btseed          0:off   1:off   2:off   3:off   4:off   5:off   6:off
bttrack         0:off   1:off   2:off   3:off   4:off   5:off   6:off
capi            0:off   1:off   2:off   3:off   4:off   5:off   6:off
cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off
crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off
cups            0:off   1:off   2:off   3:off   4:off   5:off   6:off
dc_client       0:off   1:off   2:off   3:off   4:off   5:off   6:off
dc_server       0:off   1:off   2:off   3:off   4:off   5:off   6:off
dhcpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
dhcrelay        0:off   1:off   2:off   3:off   4:off   5:off   6:off
dnsmasq         0:off   1:off   2:on    3:on    4:on    5:on    6:off
dund            0:off   1:off   2:off   3:off   4:off   5:off   6:off
firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off
fuse            0:off   1:off   2:off   3:on    4:on    5:on    6:off
gpm             0:off   1:off   2:on    3:on    4:on    5:off   6:off
haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off
httpd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
ip6tables       0:off   1:off   2:off   3:off   4:off   5:off   6:off
iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off
irda            0:off   1:off   2:off   3:off   4:off   5:off   6:off
irqbalance      0:off   1:off   2:off   3:on    4:on    5:on    6:off
isdn            0:off   1:off   2:on    3:on    4:on    5:on    6:off
kannel          0:off   1:off   2:off   3:off   4:off   5:off   6:off
kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off
ldap            0:off   1:off   2:off   3:off   4:off   5:off   6:off
lirc            0:off   1:off   2:off   3:off   4:off   5:off   6:off
lm_sensors      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off
messagebus      0:off   1:off   2:on    3:on    4:on    5:on    6:off
microcode_ctl   0:off   1:off   2:on    3:on    4:on    5:on    6:off
multipathd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
nasd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off
netplugd        0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
nfs             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off
nmb             0:off   1:off   2:off   3:off   4:off   5:off   6:off
nscd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
ntpd            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pand            0:off   1:off   2:off   3:off   4:off   5:off   6:off
pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off
psacct          0:off   1:off   2:off   3:off   4:off   5:off   6:off
rdisc           0:off   1:off   2:off   3:off   4:off   5:off   6:off
restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcbind         0:off   1:off   2:on    3:on    4:on    5:on    6:off
rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off
rpcsvcgssd      0:off   1:off   2:off   3:off   4:off   5:off   6:off
rsyslog         0:off   1:off   2:on    3:on    4:on    5:on    6:off
saslauthd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off
setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off
shorewall       0:off   1:off   2:off   3:off   4:off   5:off   6:off
smartd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
smb             0:off   1:off   2:on    3:on    4:on    5:on    6:off
smolt           0:off   1:off   2:on    3:on    4:on    5:on    6:off
snmpd           0:off   1:off   2:off   3:off   4:off   5:off   6:off
snmptrapd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
snortd          0:off   1:off   2:off   3:off   4:off   5:off   6:off
squid           0:off   1:off   2:on    3:on    4:on    5:on    6:off
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
udev-post       0:off   1:off   2:off   3:on    4:on    5:on    6:off
vsftpd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
winbind         0:off   1:off   2:off   3:off   4:off   5:off   6:off
wpa_supplicant  0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yum-updatesd    0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@gwbox ~]# 
[root@gwbox ~]# netstat -vat|grep 58571
tcp        0      0 *:58571                     *:*                         LISTEN      
[root@gwbox ~]# netstat -pan|grep 58571
tcp        0      0 0.0.0.0:58571               0.0.0.0:*                   LISTEN      1808/rpc.statd      
[root@gwbox ~]#
it's this normal or not (does I'm (my box) being cracked ???) or I'm soo paranoid ??? so what must I've to do with my iptables ???

I also checked /etc/services, this unknown service always on not registered port, it's this virus?

thanks in advance for any idea...

Last edited by katrok; 02-04-2009 at 09:54 PM.
 
Old 02-04-2009, 10:08 PM   #7
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
I've not run NFS in like 7-8 years, but I'd thought that some of the services associated with NFS generates traffic on random ports (which is why it is difficult to configure a FW to allow such traffic). You may want to read up on how NFS' services work. I'm almost positive I read something to the effect of NFS services spawning port connections that may appear to be suspicious but is not.
 
Old 02-04-2009, 10:36 PM   #8
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,653

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnomed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.

google rpc.statd
 
Old 05-21-2009, 06:21 AM   #9
katrok
LQ Newbie
 
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23

Original Poster
Rep: Reputation: 15
Thumbs up thanks

thanks any way for all of referency
 
Old 05-22-2009, 01:22 AM   #10
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.6, Centos 5.10
Posts: 16,324

Rep: Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041Reputation: 2041
Given your profile says Fedora, you should be able to lock down the ports used by nfs related services as described here: http://www.cyberciti.biz/faq/centos-...-server-ports/
 
  


Reply

Tags
service, unknown


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Assistance needed to investigate unauthorised download by unknown service nic2 Linux - General 2 11-18-2008 08:26 PM
Unknown service using port 807 TheOracle Linux - Security 4 12-27-2006 05:16 AM
unknown service?? pingvina Linux - Security 10 01-13-2006 11:11 AM
unknown service controling open port rysio Linux - Security 2 09-13-2005 01:48 PM
inetd unknown service golien Linux - General 4 08-09-2005 11:58 PM


All times are GMT -5. The time now is 09:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration