Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-29-2005, 08:40 AM
|
#1
|
|
Member
Registered: Dec 2002
Location: Mumbai, India
Distribution: Fedora 2, Damn small linux
Posts: 30
Rep: 
|
checkit.com shows 12345 closed (unsecure). Please help to secure it.
Greetings folks,
My network setup - SBC Yahoo DSL modem -> Netgear MR814 router. One Fedora Core 2 and a WinXP connected to the router. The router has no port forwarding at all. Now if I visit http://scan.checkit.com/trojan.aspx from either the linux or XP machine, checkit reports(for both) my port 12345 Closed which means my router is not listening but rejecting requests. Rejecting a request alerts hackers to the existence of a computer at the ip addr.. Now if I connect my linux machine to the modem directly, all my ports are reported 'Blocked' which leads me to believe my linux machine firewall as expected blocks the port 12345 and it is my router that has something wrong. I logged into the router to confirm there is no port forwarding, if so what exactly is happening here. Is the 'checkit' report correct or do they just want me to buy their software firewall?
Also please suggest how i can secure the 12345 port.
Thank you,
regards
Prasad
Last edited by khurdp; 12-29-2005 at 08:42 AM.
|
|
|
|
|
12-30-2005, 04:10 AM
|
#2
|
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
Interesting. It's is showing me as being closed and blocked and insecure. *Gasp* Doe sthis mean that the firewall I have running on my machine isn't working? Go to GRC's Shields Up page and recheck it. That shows me has running entirely in "stealth" mode - which is good. |
|
|
|
|
12-30-2005, 08:38 AM
|
#3
|
|
Member
Registered: Dec 2002
Location: Mumbai, India
Distribution: Fedora 2, Damn small linux
Posts: 30
Original Poster
Rep:
|
XavierP,
check other sites that scan any port you specify to scan port 12345. GRC doesn't scan the 12345 port. Do you have the same or similar network setup as mine?
regards,
Prasad
|
|
|
|
|
12-30-2005, 10:50 AM
|
#4
|
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
Quote:
ScheduleAgent, Trinity, WinSatan 6667 Closed
Exploit Translation Server, Kazimas, Remote Grab, SubSeven 2.1 Gold 7000 Closed
2000 Cracks, BackDoor-G, SubSeven ,VP Killer 6776 Closed
Trinoo 27665 Closed
NetBus 2.0 Pro, NetRex, Whack Job 20034 Closed
Remote Administration Tool - RAT 1095 Closed
Xtcp 5550 Closed
/sbin/initd 1049 Closed
WM Remote KeyLogger 5025 Closed
Portmap Remote Root Linux Exploit 5760 Closed
Trinity 33270 Closed
Back Fire, Back Orifice (Lm), Back Orifice russian, Baron Night, Beeone, BO client, BO Facil, BO spy, BO2, cron / crontab, Freak88, icmp_pipe.c, Sockdmini 31337 Closed
Remote Administration Tool - RAT 1097 Closed
Fat B@tch trojan, GabanBus, NetBus , X-bill 12346 Closed
Mstream 7983 Closed
Trinoo 1524 Closed
Grlogin 513 Closed
Millenium Worm 1338 Closed
RPC Backdoor 514 Closed
Mstream 6723 Closed
BLA trojan 1042 Closed
Mstream 12754 Closed
Mstream 15104 Closed
Solo 5010 Blocked
cron / crontab, Fat B@tch trojan, GabanBus, icmp_pipe.c, Mypic, NetBus, NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill 12345 Blocked
Remote Administration Tool - RAT 1098 Blocked
Blood Fest Evolution, Remote Administration Tool - RAT 1099 Blocked
TCP Wrappers trojan 421 Blocked
Your system is not secure. We recommend purchasing and installing CheckIt Firewall on your system to close these open security holes.
|
That's from Checkit and they recommend I buy their product. And the product is for Windows only. Hmmmmm
Quote:
Port Authority Database
Port 12345
Name:
italk
Purpose:
Italk Chat System
Description:
Related Ports:
Background and Additional Information:
Trojan Sightings: Adore sshd, cron / crontab, Whack Job, ValvNet, Pie Bill Gates, NetBus worm, NetBus Toy, NetBus, Mypic, GabanBus, Fat Bitch trojan, Ashley, X-bill, Fade, icmp_pipe.c
|
This is what port 12345 is and
Quote:
Probing Your Port 12345
The GRC server is attempting to establish a TCP
connection to Port 12345 of your computer located
at Internet at IP address <my IP address>:
Total elapsed testing time: 5.021 seconds
Port
Status Protocol and Application
12345
Stealth italk
Italk Chat System
The result of the port probe is shown above.
|
shows the results of GRC's scan.
I'm not worried.
Last edited by XavierP; 12-30-2005 at 10:53 AM.
|
|
|
|
|
12-30-2005, 11:19 AM
|
#5
|
|
Member
Registered: Dec 2002
Location: Mumbai, India
Distribution: Fedora 2, Damn small linux
Posts: 30
Original Poster
Rep:
|
Your 12345 & some more are 'Blocked' which is good but many of your other ports are 'Closed' which if I were you would be worried about. My network scan only revealed 12345 Closed, all others Blocked. You might want to look at your firewall config to 'block' the Closed ports.
Last edited by khurdp; 12-30-2005 at 01:38 PM.
|
|
|
|
|
12-30-2005, 05:57 PM
|
#6
|
|
Moderator
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
|
And yet GRC shows them as "stealthed". Which is correct? The free tool or the one that wants to sell me something.
I would advise you to check your ports on a variety of these checkers - ones which something to sell and ones with nothing to sell and see what the results are.
And those trojans are all for Windows, so I am still not worried.
|
|
|
|
|
12-30-2005, 11:43 PM
|
#7
|
|
Senior Member
Registered: Jun 2004
Location: Australia
Distribution: Mandriva/Slack - KDE
Posts: 1,672
Rep:
|
http://scan.checkit.com/trojan.aspx
"Your system appears to be secure. Make sure you run all the available scans on this site to thoroughly test your system."
Wow, I feel so much better 
As XavierP has said, you get different results at different places, and some say some fairly unlikely things. I sit behind a smoothwall box, so I don't worry about too much in that area.
|
|
|
|
|
12-30-2005, 11:51 PM
|
#8
|
|
Senior Member
Registered: Jun 2004
Location: Australia
Distribution: Mandriva/Slack - KDE
Posts: 1,672
Rep:
|
For example, I can try:
Ping Scan on: 203.220.xx.xx
Testing...
Testing...
Testing...
Testing...
Testing...
Testing...
Testing...
Testing...
Testing...
Testing...
Open
Your system is not secure. We recommend purchasing and installing CheckIt Firewall on your system to close this security hole.
But I am not worried. Sure, it means I am visible, but not necessarily vulnerable - and their firewall ain't going to help much.
BTW I didn't blot the IP as I worry about being cracked, rather because it's dynamic and some poor win user will have it in a few hours...
|
|
|
|
|
01-01-2006, 03:32 PM
|
#9
|
|
Member
Registered: Dec 2002
Location: Mumbai, India
Distribution: Fedora 2, Damn small linux
Posts: 30
Original Poster
Rep:
|
Wish everybody a Happy New Year.
Thank you amosf for you postings.
Well, worrying is secondary, what I don't understand is when my MR814 is not port forwarding why is ONLY the 12345 port 'Closed' and all others 'Blocked'.
Thank you,
Prasad
|
|
|
|
|
01-01-2006, 04:29 PM
|
#10
|
|
Senior Member
Registered: Jun 2004
Location: Australia
Distribution: Mandriva/Slack - KDE
Posts: 1,672
Rep:
|
The 12345 port must be something to do with the router hardware/firmware... Have you run a scan from grc.com and see what it says? You can get it to scan that 12345 port in particular and see what the results are as a comparison.
|
|
|
|
|
01-03-2006, 08:28 AM
|
#11
|
|
Member
Registered: Dec 2002
Location: Mumbai, India
Distribution: Fedora 2, Damn small linux
Posts: 30
Original Poster
Rep:
|
Well, I installed the latest firmware and copied (manually) over the settings. I had backed up the settings and could have read them in but I reentered them so as to eliminate any chances of repeating an erroneous setting.
Now checkit.com, grc and others all show the 12345 port 'Blocked'.
Thank you folks for your replies and suggestions.
regards,
Prasad
Last edited by khurdp; 01-03-2006 at 11:47 AM.
|
|
|
|
|
01-03-2006, 08:38 AM
|
#12
|
|
Senior Member
Registered: Jun 2004
Location: Australia
Distribution: Mandriva/Slack - KDE
Posts: 1,672
Rep:
|
Odd little router bug I guess. Getting a few scans is a good idea as some are bogus. Sygate sos claims by port 80 is not stealthed, which is rubbish. grc et all say different...
|
|
|
|
All times are GMT -5. The time now is 11:26 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
