LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-13-2006, 06:15 PM   #1
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Rep: Reputation: 15
Question Uknown ports on my FC5


I've connected to the internet in a new manner and lost the firewall that I was running through. I'm using Clearwire. Since I am hooked up through dhcp as I boot, I felt vulnerable and did some snooping using netstat and a ports program. The output from ports is below. I've benn trying all day to get a clue what is happenning here without success. Any ideas.
TCP
Lcl port Rmt port Status Rmt IP Rmt host
*50000=? 0=zero 0A=LISTEN 0.0.0.0 local
*** High numbered port listening

*50002=? 0=zero 0A=LISTEN 0.0.0.0 local
*** High numbered port listening

*53895=? 50000=? 01=ESTABLISD 127.0.0.1 pacificmountains.home
*** High numbered ports communing

*50000=? 53895=? 01=ESTABLISD 127.0.0.1 pacificmountains.home
*** High numbered ports communing

72.14.255.147: Unknown host
57170=? 80=http 01=ESTABLISD 72.14.255.147 IP?
72.14.255.147: Unknown host
57169=? 80=http 01=ESTABLISD 72.14.255.147 IP?

UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local

4 alerts: possible security breach
 
Old 11-13-2006, 06:38 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Could you post the output of 'netstat -pantu' run as root? The unknown host is an IP registered to Google.
 
Old 11-13-2006, 06:50 PM   #3
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
This is what I get with netstat -pantu:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:50000 0.0.0.0:* LISTEN 1781/hpiod
tcp 0 0 127.0.0.1:50002 0.0.0.0:* LISTEN 1786/python
tcp 0 0 127.0.0.1:53895 127.0.0.1:50000 ESTABLISHED 1786/python
tcp 0 0 127.0.0.1:50000 127.0.0.1:53895 ESTABLISHED 1781/hpiod
tcp 0 0 74.60.15.102:42289 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
tcp 0 0 74.60.15.102:42287 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
udp 0 0 0.0.0.0:68 0.0.0.0:* 1568/dhclient
 
Old 11-13-2006, 06:55 PM   #4
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
After reviewing the netstat -pantu command, I shut of the hpiod service. Then I ran the ports program again and get 3 less alerts:
TCP
Lcl port Rmt port Status Rmt IP Rmt host
*50000=? 53895=? 06=TIME_WAIT 127.0.0.1 pacificmountains.home
*** High numbered ports communing

57692=? 80=http 01=ESTABLISD 212.150.236.70 212-150-236-70.barak.net.il
72.14.253.99: Unknown host
42289=? 80=http 01=ESTABLISD 72.14.253.99 IP?
72.14.253.99: Unknown host
42287=? 80=http 01=ESTABLISD 72.14.253.99 IP?

UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local

1 alerts: possible security breach
 
Old 11-13-2006, 07:28 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If you look at the python and hpiod connections, they are all local connections (over the loopback adapter), so they are not remote connections to some malicious host on the internet. I'm not familiar with it, but it looks like hpiod is a resident daemon for the HP Linux Imaging and Printing (HPLIP) service. Does shutting off the printing service do anything? Do you have an open window in X for configuring the printer/scanner service?

Just saw your reply. The connection looks like it's just sitting in TIME_WAIT, so give it a minute or two an see if the connection closes.
 
Old 11-13-2006, 07:42 PM   #6
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
Latest netstat results (without hpiod service running):
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 74.60.15.102:36915 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
tcp 0 0 74.60.15.102:36913 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
udp 0 0 0.0.0.0:68

I see a whois on the foreign ip does turnup google and I assume that it is running in the firefox browser to speed up searches. Latest ports results are:
TCP
Lcl port Rmt port Status Rmt IP Rmt host
72.14.253.99: Unknown host
36919=? 80=http 01=ESTABLISD 72.14.253.99 IP?
72.14.253.99: Unknown host
36915=? 80=http 06=TIME_WAIT 72.14.253.99 IP?
72.14.253.99: Unknown host
36913=? 80=http 06=TIME_WAIT 72.14.253.99 IP?

UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local
 
Old 11-13-2006, 07:53 PM   #7
rdwinders
LQ Newbie
 
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26

Original Poster
Rep: Reputation: 15
thanks for the help, signing off and will check tomorrow to see if there is any further interest.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding ports fc5 for server pula0r Linux - Networking 5 09-12-2006 02:21 PM
uknown url type udp when using a udp tracker fakie_flip Linux - Software 1 08-03-2006 06:03 AM
char malloc + uknown characters alaios Programming 3 09-08-2005 11:40 AM
xgettext error php language uknown psychomachine Linux - Software 0 12-09-2004 10:28 AM
uknown timeout.synack key in redhat 9 adrianmak Linux - Security 1 01-16-2004 01:53 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration