Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-13-2006, 06:15 PM
|
#1
|
LQ Newbie
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26
Rep:
|
Uknown ports on my FC5
I've connected to the internet in a new manner and lost the firewall that I was running through. I'm using Clearwire. Since I am hooked up through dhcp as I boot, I felt vulnerable and did some snooping using netstat and a ports program. The output from ports is below. I've benn trying all day to get a clue what is happenning here without success. Any ideas.
TCP
Lcl port Rmt port Status Rmt IP Rmt host
*50000=? 0=zero 0A=LISTEN 0.0.0.0 local
*** High numbered port listening
*50002=? 0=zero 0A=LISTEN 0.0.0.0 local
*** High numbered port listening
*53895=? 50000=? 01=ESTABLISD 127.0.0.1 pacificmountains.home
*** High numbered ports communing
*50000=? 53895=? 01=ESTABLISD 127.0.0.1 pacificmountains.home
*** High numbered ports communing
72.14.255.147: Unknown host
57170=? 80=http 01=ESTABLISD 72.14.255.147 IP?
72.14.255.147: Unknown host
57169=? 80=http 01=ESTABLISD 72.14.255.147 IP?
UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local
4 alerts: possible security breach
|
|
|
11-13-2006, 06:38 PM
|
#2
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Could you post the output of 'netstat -pantu' run as root? The unknown host is an IP registered to Google.
|
|
|
11-13-2006, 06:50 PM
|
#3
|
LQ Newbie
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26
Original Poster
Rep:
|
This is what I get with netstat -pantu:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:50000 0.0.0.0:* LISTEN 1781/hpiod
tcp 0 0 127.0.0.1:50002 0.0.0.0:* LISTEN 1786/python
tcp 0 0 127.0.0.1:53895 127.0.0.1:50000 ESTABLISHED 1786/python
tcp 0 0 127.0.0.1:50000 127.0.0.1:53895 ESTABLISHED 1781/hpiod
tcp 0 0 74.60.15.102:42289 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
tcp 0 0 74.60.15.102:42287 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
udp 0 0 0.0.0.0:68 0.0.0.0:* 1568/dhclient
|
|
|
11-13-2006, 06:55 PM
|
#4
|
LQ Newbie
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26
Original Poster
Rep:
|
After reviewing the netstat -pantu command, I shut of the hpiod service. Then I ran the ports program again and get 3 less alerts:
TCP
Lcl port Rmt port Status Rmt IP Rmt host
*50000=? 53895=? 06=TIME_WAIT 127.0.0.1 pacificmountains.home
*** High numbered ports communing
57692=? 80=http 01=ESTABLISD 212.150.236.70 212-150-236-70.barak.net.il
72.14.253.99: Unknown host
42289=? 80=http 01=ESTABLISD 72.14.253.99 IP?
72.14.253.99: Unknown host
42287=? 80=http 01=ESTABLISD 72.14.253.99 IP?
UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local
1 alerts: possible security breach
|
|
|
11-13-2006, 07:28 PM
|
#5
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
If you look at the python and hpiod connections, they are all local connections (over the loopback adapter), so they are not remote connections to some malicious host on the internet. I'm not familiar with it, but it looks like hpiod is a resident daemon for the HP Linux Imaging and Printing (HPLIP) service. Does shutting off the printing service do anything? Do you have an open window in X for configuring the printer/scanner service?
Just saw your reply. The connection looks like it's just sitting in TIME_WAIT, so give it a minute or two an see if the connection closes.
|
|
|
11-13-2006, 07:42 PM
|
#6
|
LQ Newbie
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26
Original Poster
Rep:
|
Latest netstat results (without hpiod service running):
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 74.60.15.102:36915 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
tcp 0 0 74.60.15.102:36913 72.14.253.99:80 ESTABLISHED 2341/firefox-bin
udp 0 0 0.0.0.0:68
I see a whois on the foreign ip does turnup google and I assume that it is running in the firefox browser to speed up searches. Latest ports results are:
TCP
Lcl port Rmt port Status Rmt IP Rmt host
72.14.253.99: Unknown host
36919=? 80=http 01=ESTABLISD 72.14.253.99 IP?
72.14.253.99: Unknown host
36915=? 80=http 06=TIME_WAIT 72.14.253.99 IP?
72.14.253.99: Unknown host
36913=? 80=http 06=TIME_WAIT 72.14.253.99 IP?
UDP
Lcl port Rmt port Status Rmt IP Rmt host
68=bootpc 0=zero 07=CLOSE 0.0.0.0 local
|
|
|
11-13-2006, 07:53 PM
|
#7
|
LQ Newbie
Registered: May 2005
Location: Seattle
Distribution: Fedora Core 6
Posts: 26
Original Poster
Rep:
|
thanks for the help, signing off and will check tomorrow to see if there is any further interest.
|
|
|
All times are GMT -5. The time now is 12:21 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|