From: Joey Hess <joeyh@debian.org>
To: debian-user@lists.debian.org
Subject: Re: hacked?
Date: Mon, 16 Jun 2003 11:51:55 -0400
Moe Binkerman wrote:
> I've noticed something odd, I did an nmap localhost after messing with
> inetd.conf, and say a weird port open.
> I ran it again and it wasn't there. Mostly I see just the normal
services
> I am running, but 1 in a dozen nmap scans (as root) show some ports that
> are open for a second or so. Why would these ports be open, below is an
> example of some of the ports.
>
> I put an nmap localhost in loop to capture the info, also I ran a ps -ef
> in a loop and I let it run for a couple of days and I didn't see
anything
> unusual. Am I hacked?
>
>
> 1359/tcp open ftsrv
> 2120/tcp open kauth
> 2241/tcp open ivsd
> 1452/tcp open gtegsc-lm
> 4444/tcp open krb524
> 3306/tcp open mysql
> 1358/tcp open connlcli
> 1652/tcp open xnmp
> 1433/tcp open ms-sql-s
> 3389/tcp open msrdp
> 1506/tcp open utcd
> 1386/tcp open checksum
> 2021/tcp open servexec
> 2564/tcp open hp-3000-telnet
> 1445/tcp open proxima-lm
> 1369/tcp open gv-us
> 1444/tcp open marcam-lm
These are all nonstandard high ports above 1024. Anytime your system
makes an outgoing TCP connection it will open an unused high port of
this type and use it. Maybe that's what it is -- depending on the type
of port scan you did I suppose they could show up.
netstat will list them along with what they're connected to at the other
end:
tcp 0 0 client132.fre.commu:www egspd403.teoma.co:35243
ESTABLISHED
tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34962
TIME_WAIT
tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34807
TIME_WAIT
tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34523
TIME_WAIT
tcp 0 0 client132.fre.commu:www cr012r01-3.sac2.fa:1186
TIME_WAIT
tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1110
TIME_WAIT
tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1057
TIME_WAIT
--
see shy jo
<< attach3 >>