strange service running ... open port
Hi,
I remember some weeks ago I closed all my ports on my system by disabling any service, and when I use "nmap localhost" it shows me all ports closed. But when I run it now, it shows : PORT STATE SERVICE 754/tcp open krb_prop That is pretty strange, cause I cant remember setting a service up for this port. I searched my /etc/rc.d directory for a service, also inetd.conf but I just cant find the line where it start this service. My question: WTF? I am running Slackware 9.1 kernel 2.6.0. Hope you can help me, I dont like this! |
Looks like kerberos service? I don't know for certain but maybe this get's you in the right direction for your investigation.
http://www.google.com/linux?hl=en&lr...9-1&q=krb_prop |
I did that myself, but I just get results where a port list is shown and
that is just one of the thousands ports. But no idea where to disable it... |
http://gd.tuwien.ac.at/opsys/linux/l.../network/#lsof
take a look over netstat and lsof to determine which program is running it then look into that program using man or google. Then let us know what you find :) |
When I use lsof -i 4 (for showing all ipv4 things) it shows
>> lsof -i 4 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN) inetd 578 root 5u IPv4 1686 UDP *:756 inetd 578 root 7u IPv4 1691 UDP *:nlogin Thats all I get. When i run lsof | grep {kerb;krb;prop;...} I get either nothing or just the first line of the 3 above... netstat just doesn`t show anything about this port or service. The thing is, I _DONT_ have kerberos installed on my machine. removepackage [tab] (and then anything with k leads to kernel) and a locate kerb or locate krb leads to nothing as well. (just some nessus plugins) I don`t get this... argh... |
like ferreter said, but if you do lsof -i, you get a list of programs with their respective ports and it is easier to read
|
Quote:
And are you using Nessus? If so, it may have a kerberos-like plugin for its client/server authentication. |
Oh, if you are really worried about this download and install chkrootkit and run it to look for any rootkits on your box.
|
I did a locate krb_prop, nothing.
I didn`t use nessus since last month... and rebootet some times inbetween, so this deamon is definately not running... (besides, as I see it, this service is run out of inetd, see below) lsof -i shows: >> lsof -i COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN) inetd 578 root 5u IPv4 1686 UDP *:756 inetd 578 root 7u IPv4 1691 UDP *:nlogin MozillaFi 1226 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) MozillaFi 1229 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) MozillaFi 1230 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) MozillaFi 1231 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) MozillaFi 1233 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) MozillaFi 2360 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED) And, as you suggested, I downloaded and ran chkrootkit, nothing found. |
anyone? ...
|
Would it be worth looking in /etc/inetd.conf to see if kerberos support is enabled in there?
|
This sounds more like a security question than a Slack question. You may want to consider asking the moderator to move it to the Security forum. -- J.W.
|
I solved it... strange.
I found this line which was included somewhere in inetd.conf: sgi_fam/1-2 stream rpc/tcp wait root /usr/local/bin/fam fam I can`t remember to install that, though. I went through inetd.conf earlier, but didn`T see this one.... Thanks to all that helped! |
All times are GMT -5. The time now is 06:06 AM. |