LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-17-2007, 10:23 AM   #1
hacker supreme
Member
 
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259
Blog Entries: 1

Rep: Reputation: 31
um... should this be like this? (Open ports.)


I was just reading through
http://www.grc.com/dos/grcdos.htm

And reached the section 'A Quick & Easy Check for IRC Zombie/Bots', and decided to try it for myself.
(On my *nix box.)

the page says:
Quote:
Consequently, an active connection to an IRC server can be detected with the following command:

netstat -an | find ":6667"

Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:
Code:
TCP   192.168.1.101:1026   70.13.215.89:6667  ESTABLISHED
. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!

A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:

netstat -an | find ":113 "

As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:

Code:
TCP     0.0.0.0:113     0.0.0.0:0     LISTENING
. . . then it's probably time to pull the plug on your cable-modem!
So I checked for an open port 6667, with netstat -an | grep ':6667'. No, phew.

Then I checked for open 113, with netstat -an | grep ':113'.
Quote:
Code:
james@Helix-Debian:~$ netstat -an | grep ':113'
tcp        0      0 0.0.0.0:113             0.0.0.0:*               LISTEN

Should I be worried about this, and if so, how do I close port 113?

Last edited by hacker supreme; 06-17-2007 at 10:25 AM.
 
Old 06-17-2007, 11:10 AM   #2
chadl
Member
 
Registered: Sep 2005
Location: US
Distribution: Gentoo AMD64 Testing
Posts: 129

Rep: Reputation: 16
Ident is not necessarily all that bad a port to have open, as long as the identd version that is running is relatively up to date. There is a good chance that you can stop identd by running a simple command such as
Code:
sudo /etc/init.d/identd stop
. In order to prevent it from starting, the symbolic link to that script (most likely in /etc/rc3.d/) will need to have the uppercase S at the start of the file name changed to a lowercase s... and the system will no longer start the ident daemon.
Note that the above instructions are just my best guess... I have not used ident, nor do I use Debian (Gentoo has a different init structure).

Again, unless you suspect that it is doing something bad, there is no real reason that ident needs to be stopped. Most of the time ident is used by IRC servers that you attempt to connect to in order to prevent IP spoofing.
 
Old 06-17-2007, 12:19 PM   #3
hacker supreme
Member
 
Registered: Oct 2006
Location: As far away from my username as possible
Distribution: Gentoo
Posts: 259

Original Poster
Blog Entries: 1

Rep: Reputation: 31
Right, that's OK then.
I was just a little worried is all.

</paranoia>



All I've got to do now is port scan that windows box...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot Open Mail Server Ports 25, 110, and 220. Other Ports will open. Binxter Linux - Newbie 9 11-29-2007 02:03 AM
open ports on linksys, i have ssh open but thats it PlatinumRik Linux - Security 1 07-07-2005 10:38 AM
Open ports noxious Slackware 2 03-01-2005 03:25 PM
Need help to open some ports. agent003 Linux - Security 2 10-11-2004 06:33 PM
how to open ports ... starking Linux - Networking 3 07-30-2004 11:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration