Re: Port 699 listening

To: debian-security@lists.debian.org
Subject: Re: Port 699 listening
From: Alex Pankratz <alexpankratz@gmail.com>
Date: Wed, 14 Dec 2005 23:13:14 -0600
Message-id: <[🔎] 3e9986320512142113u2bf6c897ibf934abc5c54db31@mail.gmail.com>
In-reply-to: <[🔎] 20051215045658.GA21686@maelstorm.bearhouse.lan>
References: <[🔎] 3e9986320512142043q5e954e54o41a8bd41841af@mail.gmail.com> <[🔎] 20051215045658.GA21686@maelstorm.bearhouse.lan>

> See interspersed comments below.

My replies interspersed

>
> Quoting Alex Pankratz <alexpankratz@gmail.com>:
> > My apologies in advance if this is the wrong place to ask this, this
> > is my first time asking for help..
> >
> > What is running on port 699? I only have squid, ssh, and dhcpd
> > listening on my 2 internal interfaces, but nothing on my external one
> > (XXX.XXX.XXX.XXX below)
> >
> > I just ran nmap, and it returned:
> > Discovered open port 699/tcp on XXX.XXX.XXX.XXX
> > Discovered open port 111/tcp on XXX.XXX.XXX.XXX
> >
> > And netstat shows:
> > netstat -na | grep 699
> > tcp        0      0 0.0.0.0:699             0.0.0.0:*               LISTEN
> >
>
> Try: lsof -i4 -P | grep 699

rpc.statd  1789        root    6u  IPv4    2165       TCP *:699 (LISTEN)

> > I ran chkrootkit and it returned nothing
> >
> > Google tells me:
> > #                          Thomas Clausen <thomas.clausen@inria.fr>
> > accessnetwork   699/tcp    Access Network
> > accessnetwork   699/udp    Access Network
> >
> > - What is "Access Network"?
> > - How can I get RPC to not listen on port 111 at all?
>
> apt-get --purge remove portmap

Did, and that made both 111 and 699 not show up in nmap scan. sweet,
thanks Jeffery. I could swear that in the past I saw 111 open and I
sort of ignored it, why would 699 be open now, and then closed? why is
statd running, i dont use NFS.

On a possibly related note, snort is showing me a ton of "SCAN FIN"
messages from the same IP, just recently.

Also on a possibly related note, could that be the reason why snort is
also showing me "(portscan) TCP Portsweep" originating from my
external interface?

>
> or
>
> invoke-rc.d portmap stop
>
> > - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet
> > interfaces listen for those ports?
>
> Yes, 0.0.0.0 means all interfaces.
> >
> > This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as
> > much as possible, except for the recent kernel update just released.
> >
> > Your help is appreciated,
> >
> > Alex
> >
>
> HTH,
>   Jeffrey
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>

Reply to:

Follow-Ups:
- Re: Port 699 listening
  - From: "Jeffrey L. Taylor" <jeff@austinblues.dyndns.org>

References:
- Port 699 listening
  - From: Alex Pankratz <alexpankratz@gmail.com>
- Re: Port 699 listening
  - From: "Jeffrey L. Taylor" <jeff@austinblues.dyndns.org>

Prev by Date: Re: Port 699 listening
Next by Date: Re: Port 699 listening
Previous by thread: Re: Port 699 listening
Next by thread: Re: Port 699 listening
Index(es):
- Date
- Thread