Re: Port 699 listening
> See interspersed comments below.
My replies interspersed
>
> Quoting Alex Pankratz <alexpankratz@gmail.com>:
> > My apologies in advance if this is the wrong place to ask this, this
> > is my first time asking for help..
> >
> > What is running on port 699? I only have squid, ssh, and dhcpd
> > listening on my 2 internal interfaces, but nothing on my external one
> > (XXX.XXX.XXX.XXX below)
> >
> > I just ran nmap, and it returned:
> > Discovered open port 699/tcp on XXX.XXX.XXX.XXX
> > Discovered open port 111/tcp on XXX.XXX.XXX.XXX
> >
> > And netstat shows:
> > netstat -na | grep 699
> > tcp 0 0 0.0.0.0:699 0.0.0.0:* LISTEN
> >
>
> Try: lsof -i4 -P | grep 699
rpc.statd 1789 root 6u IPv4 2165 TCP *:699 (LISTEN)
> > I ran chkrootkit and it returned nothing
> >
> > Google tells me:
> > # Thomas Clausen <thomas.clausen@inria.fr>
> > accessnetwork 699/tcp Access Network
> > accessnetwork 699/udp Access Network
> >
> > - What is "Access Network"?
> > - How can I get RPC to not listen on port 111 at all?
>
> apt-get --purge remove portmap
Did, and that made both 111 and 699 not show up in nmap scan. sweet,
thanks Jeffery. I could swear that in the past I saw 111 open and I
sort of ignored it, why would 699 be open now, and then closed? why is
statd running, i dont use NFS.
On a possibly related note, snort is showing me a ton of "SCAN FIN"
messages from the same IP, just recently.
Also on a possibly related note, could that be the reason why snort is
also showing me "(portscan) TCP Portsweep" originating from my
external interface?
>
> or
>
> invoke-rc.d portmap stop
>
> > - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet
> > interfaces listen for those ports?
>
> Yes, 0.0.0.0 means all interfaces.
> >
> > This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as
> > much as possible, except for the recent kernel update just released.
> >
> > Your help is appreciated,
> >
> > Alex
> >
>
> HTH,
> Jeffrey
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
Reply to: