Hi,

I remember some weeks ago I closed all my ports on my system by disabling
any service, and when I use "nmap localhost" it shows me all ports closed.

But when I run it now, it shows :

PORT STATE SERVICE
754/tcp open krb_prop

That is pretty strange, cause I cant remember setting a service up for this port.

I searched my /etc/rc.d directory for a service, also inetd.conf but
I just cant find the line where it start this service.

My question: WTF?

I am running Slackware 9.1 kernel 2.6.0.

Hope you can help me, I dont like this!

Looks like kerberos service? I don't know for certain but maybe this get's you in the right direction for your investigation.

http://www.google.com/linux?hl=en&lr...9-1&q=krb_prop

I did that myself, but I just get results where a port list is shown and
that is just one of the thousands ports.

But no idea where to disable it...

http://gd.tuwien.ac.at/opsys/linux/l.../network/#lsof

take a look over netstat and lsof to determine which program is running it then look into that program using man or google. Then let us know what you find

When I use lsof -i 4 (for showing all ipv4 things) it shows
>> lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN)
inetd 578 root 5u IPv4 1686 UDP *:756
inetd 578 root 7u IPv4 1691 UDP *:nlogin

Thats all I get.

When i run lsof | grep {kerb;krb;prop;...} I get either
nothing or just the first line of the 3 above...

netstat just doesn`t show anything about this port or service.


The thing is, I _DONT_ have kerberos installed on my machine.

removepackage [tab] (and then anything with k leads to kernel)
and a
locate kerb or locate krb leads to nothing as well.
(just some nessus plugins)


I don`t get this... argh...

like ferreter said, but if you do lsof -i, you get a list of programs with their respective ports and it is easier to read

Have you tried "locate krb_prop" yet?

And are you using Nessus? If so, it may have a kerberos-like plugin for its client/server authentication.

Oh, if you are really worried about this download and install chkrootkit and run it to look for any rootkits on your box.

I did a locate krb_prop, nothing.
I didn`t use nessus since last month... and rebootet some times inbetween, so this deamon
is definately not running...
(besides, as I see it, this service is run out of inetd, see below)

lsof -i shows:

>> lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN)
inetd 578 root 5u IPv4 1686 UDP *:756
inetd 578 root 7u IPv4 1691 UDP *:nlogin
MozillaFi 1226 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1229 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1230 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1231 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1233 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 2360 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)


And, as you suggested, I downloaded and ran chkrootkit, nothing found.

anyone? ...

Would it be worth looking in /etc/inetd.conf to see if kerberos support is enabled in there?

This sounds more like a security question than a Slack question. You may want to consider asking the moderator to move it to the Security forum. -- J.W.

I solved it... strange.

I found this line which was included somewhere in inetd.conf:
sgi_fam/1-2 stream rpc/tcp wait root /usr/local/bin/fam fam

I can`t remember to install that, though.

I went through inetd.conf earlier, but didn`T see this one....

Thanks to all that helped!