LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   open port 623 (http://www.linuxquestions.org/questions/slackware-14/open-port-623-a-542884/)

Nikosis 04-03-2007 03:37 AM

open port 623
 
Hi
I found strange port 623 open, anyone know what it is and how can I close it.

Thx

Datamike 04-03-2007 04:34 AM

Here's a web site I found with some information on the port: http://www.auditmypc.com/port/udp-port-623.asp

As for closing it, have you checked your firewall and how it is configured? Don't know about linux, but once upon a time in Windows, a fairly annoying little program kept a port open in my firewall. I'm not sure if that's possible in linux. Depends a lot on your firewall.

billymayday 04-03-2007 05:46 AM

From a terminal, type netstat -pantu

This should tell you what is listening on port 623. Ports are only "open" if something is listening on them

Nikosis 04-03-2007 11:15 PM

Hi
Strange thing is that there is no open port 623 when I check from inside, it is when I check from outside
netstat -lnp doesn't show anything at that port
Code:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name 
tcp        0      0 0.0.0.0:37              0.0.0.0:*              LISTEN    2759/inetd         
tcp        0      0 0.0.0.0:80              0.0.0.0:*              LISTEN    2875/httpd         
tcp        0      0 0.0.0.0:113            0.0.0.0:*              LISTEN    2759/inetd         
tcp        0      0 192.168.1.1:53          0.0.0.0:*              LISTEN    2772/named         
tcp        0      0 333.333.333.333:53      0.0.0.0:*              LISTEN    2772/named         
tcp        0      0 127.0.0.1:53            0.0.0.0:*              LISTEN    2772/named         
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN    2772/named         
tcp6      0      0 ::1:953                :::*                    LISTEN    2772/named         
udp        0      0 0.0.0.0:512            0.0.0.0:*                          2759/inetd         
udp        0      0 0.0.0.0:32769          0.0.0.0:*                          2772/named         
udp        0      0 0.0.0.0:37              0.0.0.0:*                          2759/inetd         
udp        0      0 192.168.1.1:53          0.0.0.0:*                          2772/named         
udp        0      0 333.333.333.333:53      0.0.0.0:*                          2772/named         
udp        0      0 127.0.0.1:53            0.0.0.0:*                          2772/named         
udp6      0      0 :::32770                :::*                              2772/named         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags      Type      State        I-Node PID/Program name    Path
unix  2      [ ACC ]    STREAM    LISTENING    7388    2826/acpid          /var/run/acpid.socket
unix  2      [ ACC ]    STREAM    LISTENING    7468    2877/gpm            /dev/gpmctl
unix  2      [ ACC ]    STREAM    LISTENING    7455    2865/mysqld        /var/run/mysql/mysql.sock

Code:

PORT    STATE    SERVICE
37/tcp  open    time
53/tcp  open    domain
80/tcp  open    http
113/tcp open    auth
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
623/tcp filtered unknown

So, where is it ?.
Thx

billymayday 04-04-2007 05:15 AM

Perhaps it just isn't blocked by your firewall. Have you tried closing it (I don't know slackware)?

Road_map 04-04-2007 11:48 AM

Try
Code:

netstat -teanlp

Nikosis 04-04-2007 04:06 PM

Hi
Thanks for reply
port 623 isn't open on firewall if that's what you meant.

netstat -teanlp gives same result as -lnp or -pantu
thx

Road_map 04-05-2007 09:03 AM

Code:

/etc/rc.d/./rc.rpc stop
chmod 0644 /etc/rc.d/rc.rpc


Nikosis 04-06-2007 04:44 AM

Thanks for reply
Well, the port is not realy open, is filtered, so it is on the firewall, not sure what might couse it though. Any suggestion is welcome.

FreakWent 08-21-2011 10:30 PM

Bump
 
This thread is Google's top hit for port 623, so I'm adding useful information.

It's used by Intel's vPro/AMT/MBeX suite of technology, wherein a KVM is integrated with the motherboard, allowing remote access to the system regardless of the state of the OS -- or even if there's none.

That's why you don't see it in the netstat output, the OS isn't listening, the hardware is.

I dunno if the OS firewall will stop it, I haven't tested yet. I don't even know which behaviour I prefer, if the OS can control it or if the hardware wins.

It's intended for central management by corporate helpdesks and so on, and I'm looking for decent free or open source software to use with it.

mRgOBLIN 08-22-2011 07:48 AM

I'd expect it can be disabled in the BIOS then.

alt229 03-05-2012 08:58 PM

Lights out management port
 
Hey guys,
FreakWent is right. This port is open by the NIC itself as part of lights out management. While it's not really a problem to leave this port open if there is some kind of security issue in your vendors particular implementation of LOM then an attacker would have access to reboot your system among other low level commands.

If you wanted to disable this you'd most likely have to reboot and after the bios screen look for your nic to announce how to configure it. It may say something like PXE boot but there should be some kind of keyboard combo that'll get you directly into the nics settings. From there you can usually disable LOM.

Alternatively, you can put LOM on another subnet so that you don't even see it on a portscan of your main ip.

HTH

tallship 03-06-2012 01:16 AM

Definately NOT kewl!
 
Well, an iLO for a laptop is a nice idea...

But to distribute machines to consumers with these ports open is grossly negligent, IMNSHO.

And to not even tell the consumer at all? Wow.

That's just wrong as windows raining down.

I'm all for IPMI implementations, but this is just completely irresponsible.

What makes it even worse, is that this thread is at the top of the google hits - meaning, there's a whole world of people running this model machine just waiting for a 0day whackattack, because no one knows they're potentially vulnerable.

Next we'll be hearing that these machines have a factory default set of credentials enabled on the listening ports.

Finally, it's definately NOT kewl for a manufacturer to so prominently use low port numbers for such things - without first registering those ports.

Kudos to the OP for scanning his own box :)

Kindest regards,

.

cnd 11-07-2013 04:36 PM

IPMI/RMCP login by Administrator
 
Hi All,

It is critical you close this port. Multiple exploits allowing anyone access are now circulating in the wild.

Log in to your iLo interface, go to your Administration Tab, find the "Access Settings" menu, and un-check the box alongside "Enable IPMI/DCMI over LAN on Port 623" and click "Apply".

Here is the short story: "IPMI: Express Train to Hell, v2.0" http://fish2.com/ipmi/itrain-gz.html

And here - the full details: http://fish2.com/ipmi/itrain.pdf


All times are GMT -5. The time now is 02:21 AM.