Slackware This Forum is for the discussion of Slackware Linux.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
04-15-2004, 09:39 AM
#1
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Rep:
strange service running ... open port
Hi,
I remember some weeks ago I closed all my ports on my system by disabling
any service, and when I use "nmap localhost" it shows me all ports closed.
But when I run it now, it shows :
PORT STATE SERVICE
754/tcp open krb_prop
That is pretty strange, cause I cant remember setting a service up for this port.
I searched my /etc/rc.d directory for a service, also inetd.conf but
I just cant find the line where it start this service.
My question: WTF?
I am running Slackware 9.1 kernel 2.6.0.
Hope you can help me, I dont like this!
04-15-2004, 10:14 AM
#2
Member
Registered: Oct 2003
Location: North Carolina, USA
Distribution: Slackware 11
Posts: 174
Rep:
Looks like kerberos service? I don't know for certain but maybe this get's you in the right direction for your investigation.
http://www.google.com/linux?hl=en&lr...9-1&q=krb_prop
04-15-2004, 10:22 AM
#3
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Original Poster
Rep:
I did that myself, but I just get results where a port list is shown and
that is just one of the thousands ports.
But no idea where to disable it...
04-15-2004, 10:30 AM
#4
Member
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215
Rep:
http://gd.tuwien.ac.at/opsys/linux/l.../network/#lsof
take a look over netstat and lsof to determine which program is running it then look into that program using man or google. Then let us know what you find
04-15-2004, 11:09 AM
#5
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Original Poster
Rep:
When I use lsof -i 4 (for showing all ipv4 things) it shows
>> lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN)
inetd 578 root 5u IPv4 1686 UDP *:756
inetd 578 root 7u IPv4 1691 UDP *:nlogin
Thats all I get.
When i run lsof | grep {kerb;krb;prop;...} I get either
nothing or just the first line of the 3 above...
netstat just doesn`t show anything about this port or service.
The thing is, I _DONT_ have kerberos installed on my machine.
removepackage [tab] (and then anything with k leads to kernel)
and a
locate kerb or locate krb leads to nothing as well.
(just some nessus plugins)
I don`t get this... argh...
04-15-2004, 11:11 AM
#6
Member
Registered: Apr 2003
Location: uk
Distribution: slackware current
Posts: 768
Rep:
like ferreter said, but if you do lsof -i, you get a list of programs with their respective ports and it is easier to read
04-15-2004, 11:16 AM
#7
Member
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215
Rep:
Quote:
Originally posted by shadow.blue
When I use lsof -i 4 (for showing all ipv4 things) it shows
>> lsof -i 4
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN)
inetd 578 root 5u IPv4 1686 UDP *:756
inetd 578 root 7u IPv4 1691 UDP *:nlogin
Thats all I get.
When i run lsof | grep {kerb;krb;prop;...} I get either
nothing or just the first line of the 3 above...
netstat just doesn`t show anything about this port or service.
The thing is, I _DONT_ have kerberos installed on my machine.
removepackage [tab] (and then anything with k leads to kernel)
and a
locate kerb or locate krb leads to nothing as well.
(just some nessus plugins)
I don`t get this... argh...
Have you tried "locate krb_prop" yet?
And are you using Nessus? If so, it may have a kerberos-like plugin for its client/server authentication.
04-15-2004, 11:17 AM
#8
Member
Registered: Oct 2002
Location: USA, IL
Distribution: Debian/Gentoo/Slack
Posts: 215
Rep:
Oh, if you are really worried about this download and install chkrootkit and run it to look for any rootkits on your box.
04-15-2004, 11:44 AM
#9
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Original Poster
Rep:
I did a locate krb_prop, nothing.
I didn`t use nessus since last month... and rebootet some times inbetween, so this deamon
is definately not running...
(besides, as I see it, this service is run out of inetd, see below)
lsof -i shows:
>> lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
inetd 578 root 4u IPv4 1677 TCP *:krb_prop (LISTEN)
inetd 578 root 5u IPv4 1686 UDP *:756
inetd 578 root 7u IPv4 1691 UDP *:nlogin
MozillaFi 1226 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1229 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1230 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1231 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 1233 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
MozillaFi 2360 shadow 38u IPv4 11520 TCP planetshadow.planetshadow:35705->216.239.59.99:http (ESTABLISHED)
And, as you suggested, I downloaded and ran chkrootkit, nothing found.
04-16-2004, 11:46 AM
#10
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Original Poster
Rep:
anyone? ...
04-16-2004, 12:27 PM
#11
Member
Registered: Apr 2003
Location: uk
Distribution: slackware current
Posts: 768
Rep:
Would it be worth looking in /etc/inetd.conf to see if kerberos support is enabled in there?
04-16-2004, 01:02 PM
#12
LQ Veteran
Registered: Mar 2003
Location: Boise, ID
Distribution: Mint
Posts: 6,642
Rep:
This sounds more like a security question than a Slack question. You may want to consider asking the moderator to move it to the Security forum. -- J.W.
04-16-2004, 05:42 PM
#13
Member
Registered: Jan 2003
Distribution: gentoo (2.6.5-gentoo)
Posts: 73
Original Poster
Rep:
I solved it... strange.
I found this line which was included somewhere in inetd.conf:
sgi_fam/1-2 stream rpc/tcp wait root /usr/local/bin/fam fam
I can`t remember to install that, though.
I went through inetd.conf earlier, but didn`T see this one....
Thanks to all that helped!
All times are GMT -5. The time now is 04:42 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News