Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
01-26-2009, 01:03 AM
#1
LQ Newbie
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23
Rep:
Unknown service
hi all, I need to check and block unknown service on my gateway box...
I don;t know what it is, when I try...
Code:
[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown
43176/tcp open unknown
[root@gwbox ~]# chkconfig --list
ConsoleKit 0:off 1:off 2:on 3:on 4:on 5:on 6:off
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
bluetooth 0:off 1:off 2:on 3:on 4:on 5:on 6:off
btseed 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bttrack 0:off 1:off 2:off 3:off 4:off 5:off 6:off
capi 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dc_client 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dc_server 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dund 0:off 1:off 2:off 3:off 4:off 5:off 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
fuse 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:off 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kannel 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lirc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
lm_sensors 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:off 6:off
nasd 0:off 1:off 2:off 3:off 4:off 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smolt 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:off 2:off 3:on 4:on 5:on 6:off
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
yum-updatesd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Everytime I reboot my box.. it on different port
how I can BLOCK/DENY it, I don't know what service it
help
01-26-2009, 01:08 AM
#2
LQ Newbie
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23
Original Poster
Rep:
Re: unknown service
now after I reboot, I scan again, it changed on others port
[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown
51585/tcp open unknown
what is this (service) and how I know what service is, and how to block it????
thanks in advance
01-26-2009, 08:26 AM
#3
Senior Member
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833
Rep:
Quote:
Originally Posted by
katrok
now after I reboot, I scan again, it changed on others port
[root@gwbox ~]# nmap -p 1-65000 gwbox | grep unknown
51585/tcp open unknown
what is this (service) and how I know what service is, and how to block it????
thanks in advance
Do a "netstat -pan" and lets examine the output of that.
01-31-2009, 11:23 AM
#4
LQ Newbie
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
rweaver
Do a "netstat -pan" and lets examine the output of that.
here the output:
Code:
[root@gwbox ~]# nmap -p 1-65355 gwbox|grep unknown
38954/tcp open unknown
[root@gwbox ~]# nmap -p 1-65355 localhost|grep unknown
38954/tcp open unknown
[root@gwbox ~]#
[root@gwbox ~]# netstat -vat|grep 38954
tcp 0 0 *:38954 *:* LISTEN
[root@gwbox ~]# netstat -pan|grep 38954
tcp 0 0 0.0.0.0:38954 0.0.0.0:* LISTEN 1836/rpc.statd
rpc.statd <<< thanks in advance rweaver
01-31-2009, 07:32 PM
#5
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
Is that port exposed to the internet? Can you scan from another machine on the LAN and then from outside the LAN?
Also, are you running NFS on the LAN?
Last edited by unixfool; 01-31-2009 at 07:35 PM .
02-04-2009, 08:50 PM
#6
LQ Newbie
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23
Original Poster
Rep:
Quote:
Originally Posted by
unixfool
Is that port exposed to the internet? Can you scan from another machine on the LAN and then from outside the LAN?
it shown on localhost (gwbox) and from other comp (LAN), from outside LAN I never test it...
Quote:
Originally Posted by
unixfool
Also, are you running NFS on the LAN?
No I'm not running NFS, you can see list of my service up this post
it true my firewall allow NFS port, but not this port!!!! and I'm too noob to know what it's it
Code:
[root@gwbox ~]# nmap -p 1-65355 localhost
Starting Nmap 4.52 ( http://insecure.org ) at 2009-02-05 09:36 WIT
Interesting ports on gwbox.warnet.lan (127.0.0.1):
Not shown: 65342 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3128/tcp open squid-http
58571/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 20.626 seconds
[root@gwbox ~]# chkconfig --list
ConsoleKit 0:off 1:off 2:on 3:on 4:on 5:on 6:off
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
acpid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avgd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bluetooth 0:off 1:off 2:off 3:off 4:off 5:off 6:off
btseed 0:off 1:off 2:off 3:off 4:off 5:off 6:off
bttrack 0:off 1:off 2:off 3:off 4:off 5:off 6:off
capi 0:off 1:off 2:off 3:off 4:off 5:off 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dc_client 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dc_server 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dhcpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dhcrelay 0:off 1:off 2:off 3:off 4:off 5:off 6:off
dnsmasq 0:off 1:off 2:on 3:on 4:on 5:on 6:off
dund 0:off 1:off 2:off 3:off 4:off 5:off 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
fuse 0:off 1:off 2:off 3:on 4:on 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:off 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:off 3:off 4:off 5:off 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off
irqbalance 0:off 1:off 2:off 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kannel 0:off 1:off 2:off 3:off 4:off 5:off 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
ldap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
lirc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
lm_sensors 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:on 3:on 4:on 5:on 6:off
microcode_ctl 0:off 1:off 2:on 3:on 4:on 5:on 6:off
multipathd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nasd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netplugd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nmb 0:off 1:off 2:off 3:off 4:off 5:off 6:off
nscd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcbind 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcsvcgssd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
rsyslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
shorewall 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smartd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
smb 0:off 1:off 2:on 3:on 4:on 5:on 6:off
smolt 0:off 1:off 2:on 3:on 4:on 5:on 6:off
snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
snortd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
squid 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
udev-post 0:off 1:off 2:off 3:on 4:on 5:on 6:off
vsftpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
winbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
wpa_supplicant 0:off 1:off 2:off 3:off 4:off 5:off 6:off
ypbind 0:off 1:off 2:off 3:off 4:off 5:off 6:off
yum-updatesd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@gwbox ~]#
[root@gwbox ~]# netstat -vat|grep 58571
tcp 0 0 *:58571 *:* LISTEN
[root@gwbox ~]# netstat -pan|grep 58571
tcp 0 0 0.0.0.0:58571 0.0.0.0:* LISTEN 1808/rpc.statd
[root@gwbox ~]#
it's this normal or not
(does I'm (my box) being cracked ???) or I'm soo paranoid ??? so what must I've to do with my iptables ???
I also checked /etc/services, this unknown service always on not registered port, it's this virus?
thanks in advance for any idea...
Last edited by katrok; 02-04-2009 at 08:54 PM .
02-04-2009, 09:08 PM
#7
Member
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Rep:
I've not run NFS in like 7-8 years, but I'd thought that some of the services associated with NFS generates traffic on random ports (which is why it is difficult to configure a FW to allow such traffic). You may want to read up on how NFS' services work. I'm almost positive I read something to the effect of NFS services spawning port connections that may appear to be suspicious but is not.
02-04-2009, 09:36 PM
#8
Senior Member
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,824
The rpc.statd server implements the NSM (Network Status Monitor) RPC protocol. This service is somewhat misnomed, since it doesn't actually provide active monitoring as one might suspect; instead, NSM implements a reboot notification service. It is used by the NFS file locking service, rpc.lockd, to implement lock recovery when the NFS server machine crashes and reboots.
google rpc.statd
05-21-2009, 05:21 AM
#9
LQ Newbie
Registered: Mar 2008
Distribution: Fedora 8
Posts: 23
Original Poster
Rep:
thanks
thanks any way for all of referency
05-22-2009, 12:22 AM
#10
LQ Guru
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348
Given your profile says Fedora, you should be able to lock down the ports used by nfs related services as described here:
http://www.cyberciti.biz/faq/centos-...-server-ports/
All times are GMT -5. The time now is 06:20 PM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News