Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-17-2007, 10:23 AM
|
#1
|
Member
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259
Rep:
|
um... should this be like this? (Open ports.)
I was just reading through
http://www.grc.com/dos/grcdos.htm
And reached the section 'A Quick & Easy Check for IRC Zombie/Bots', and decided to try it for myself.
(On my *nix box.)
the page says:
Quote:
Consequently, an active connection to an IRC server can be detected with the following command:
netstat -an | find ":6667"
Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
Code:
TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:
netstat -an | find ":113 "
As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:
Code:
TCP 0.0.0.0:113 0.0.0.0:0 LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
|
So I checked for an open port 6667, with netstat -an | grep ':6667'. No, phew.
Then I checked for open 113, with netstat -an | grep ':113'.
Quote:
Code:
james@Helix-Debian:~$ netstat -an | grep ':113'
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
|
Should I be worried about this, and if so, how do I close port 113?
Last edited by hacker supreme; 06-17-2007 at 10:25 AM.
|
|
|
06-17-2007, 11:10 AM
|
#2
|
Member
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129
Rep:
|
Ident is not necessarily all that bad a port to have open, as long as the identd version that is running is relatively up to date. There is a good chance that you can stop identd by running a simple command such as
Code:
sudo /etc/init.d/identd stop
. In order to prevent it from starting, the symbolic link to that script (most likely in /etc/rc3.d/) will need to have the uppercase S at the start of the file name changed to a lowercase s... and the system will no longer start the ident daemon.
Note that the above instructions are just my best guess... I have not used ident, nor do I use Debian (Gentoo has a different init structure).
Again, unless you suspect that it is doing something bad, there is no real reason that ident needs to be stopped. Most of the time ident is used by IRC servers that you attempt to connect to in order to prevent IP spoofing.
|
|
|
06-17-2007, 12:19 PM
|
#3
|
Member
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259
Original Poster
Rep:
|
Right, that's OK then.
I was just a little worried is all.
</paranoia>
All I've got to do now is port scan that windows box...
|
|
|
All times are GMT -5. The time now is 08:10 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|