[SOLVED] open port 623

Nikosis · 04-03-2007, 03:37 AM

Hi
I found strange port 623 open, anyone know what it is and how can I close it.

Thx

Datamike · 04-03-2007, 04:34 AM

Here's a web site I found with some information on the port: http://www.auditmypc.com/port/udp-port-623.asp

As for closing it, have you checked your firewall and how it is configured? Don't know about linux, but once upon a time in Windows, a fairly annoying little program kept a port open in my firewall. I'm not sure if that's possible in linux. Depends a lot on your firewall.

billymayday · 04-03-2007, 05:46 AM

From a terminal, type netstat -pantu

This should tell you what is listening on port 623. Ports are only "open" if something is listening on them

Nikosis · 04-03-2007, 11:15 PM

Hi
Strange thing is that there is no open port 623 when I check from inside, it is when I check from outside
netstat -lnp doesn't show anything at that port

Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 0.0.0.0:37              0.0.0.0:*               LISTEN     2759/inetd          
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     2875/httpd          
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN     2759/inetd          
tcp        0      0 192.168.1.1:53          0.0.0.0:*               LISTEN     2772/named          
tcp        0      0 333.333.333.333:53      0.0.0.0:*               LISTEN     2772/named          
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     2772/named          
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     2772/named          
tcp6       0      0 ::1:953                 :::*                    LISTEN     2772/named          
udp        0      0 0.0.0.0:512             0.0.0.0:*                          2759/inetd          
udp        0      0 0.0.0.0:32769           0.0.0.0:*                          2772/named          
udp        0      0 0.0.0.0:37              0.0.0.0:*                          2759/inetd          
udp        0      0 192.168.1.1:53          0.0.0.0:*                          2772/named          
udp        0      0 333.333.333.333:53      0.0.0.0:*                          2772/named          
udp        0      0 127.0.0.1:53            0.0.0.0:*                          2772/named          
udp6       0      0 :::32770                :::*                               2772/named          
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING     7388     2826/acpid          /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7468     2877/gpm            /dev/gpmctl
unix  2      [ ACC ]     STREAM     LISTENING     7455     2865/mysqld         /var/run/mysql/mysql.sock

Code:

PORT    STATE    SERVICE
37/tcp  open     time
53/tcp  open     domain
80/tcp  open     http
113/tcp open     auth
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
623/tcp filtered unknown

So, where is it ?.
Thx

billymayday · 04-04-2007, 05:15 AM

Perhaps it just isn't blocked by your firewall. Have you tried closing it (I don't know slackware)?

Road_map · 04-04-2007, 11:48 AM

Try

Code:

netstat -teanlp

Nikosis · 04-04-2007, 04:06 PM

Hi
Thanks for reply
port 623 isn't open on firewall if that's what you meant.

netstat -teanlp gives same result as -lnp or -pantu
thx

Road_map · 04-05-2007, 09:03 AM

Code:

/etc/rc.d/./rc.rpc stop
chmod 0644 /etc/rc.d/rc.rpc

Nikosis · 04-06-2007, 04:44 AM

Thanks for reply
Well, the port is not realy open, is filtered, so it is on the firewall, not sure what might couse it though. Any suggestion is welcome.

FreakWent · 08-21-2011, 10:30 PM

This thread is Google's top hit for port 623, so I'm adding useful information.

It's used by Intel's vPro/AMT/MBeX suite of technology, wherein a KVM is integrated with the motherboard, allowing remote access to the system regardless of the state of the OS -- or even if there's none.

That's why you don't see it in the netstat output, the OS isn't listening, the hardware is.

I dunno if the OS firewall will stop it, I haven't tested yet. I don't even know which behaviour I prefer, if the OS can control it or if the hardware wins.

It's intended for central management by corporate helpdesks and so on, and I'm looking for decent free or open source software to use with it.

mRgOBLIN · 08-22-2011, 07:48 AM

I'd expect it can be disabled in the BIOS then.

alt229 · 03-05-2012, 08:58 PM

Hey guys,
FreakWent is right. This port is open by the NIC itself as part of lights out management. While it's not really a problem to leave this port open if there is some kind of security issue in your vendors particular implementation of LOM then an attacker would have access to reboot your system among other low level commands.

If you wanted to disable this you'd most likely have to reboot and after the bios screen look for your nic to announce how to configure it. It may say something like PXE boot but there should be some kind of keyboard combo that'll get you directly into the nics settings. From there you can usually disable LOM.

Alternatively, you can put LOM on another subnet so that you don't even see it on a portscan of your main ip.

HTH

tallship · 03-06-2012, 01:16 AM

Well, an iLO for a laptop is a nice idea...

But to distribute machines to consumers with these ports open is grossly negligent, IMNSHO.

And to not even tell the consumer at all? Wow.

That's just wrong as windows raining down.

I'm all for IPMI implementations, but this is just completely irresponsible.

What makes it even worse, is that this thread is at the top of the google hits - meaning, there's a whole world of people running this model machine just waiting for a 0day whackattack, because no one knows they're potentially vulnerable.

Next we'll be hearing that these machines have a factory default set of credentials enabled on the listening ports.

Finally, it's definately NOT kewl for a manufacturer to so prominently use low port numbers for such things - without first registering those ports.

Kudos to the OP for scanning his own box

Kindest regards,

.

cnd · 11-07-2013, 04:36 PM

Hi All,

It is critical you close this port. Multiple exploits allowing anyone access are now circulating in the wild.

Log in to your iLo interface, go to your Administration Tab, find the "Access Settings" menu, and un-check the box alongside "Enable IPMI/DCMI over LAN on Port 623" and click "Apply".

Here is the short story: "IPMI: Express Train to Hell, v2.0" http://fish2.com/ipmi/itrain-gz.html

And here - the full details: http://fish2.com/ipmi/itrain.pdf

fr2632 · 07-10-2015, 08:42 AM

Quote:

Originally Posted by tallship

Well, an iLO for a laptop is a nice idea...

But to distribute machines to consumers with these ports open is grossly negligent, IMNSHO.

And to not even tell the consumer at all? Wow.

That's just wrong as windows raining down.

I'm all for IPMI implementations, but this is just completely irresponsible.

What makes it even worse, is that this thread is at the top of the google hits - meaning, there's a whole world of people running this model machine just waiting for a 0day whackattack, because no one knows they're potentially vulnerable.

Next we'll be hearing that these machines have a factory default set of credentials enabled on the listening ports.

Finally, it's definately NOT kewl for a manufacturer to so prominently use low port numbers for such things - without first registering those ports.

Kudos to the OP for scanning his own box

Kindest regards,

.

Even if the OP scanned his own conf, would you explain to me how can somebody can break in without knowing his WAN IP ? Its like I give you my house keys but you have to figured out in which part of the world I live, and that would be impossible.