Re: webcache/port 8080
what i do in situations like this is run
lsof | grep LISTEN
or lsof | grep 8080
or lsof | grep LISTEN | grep 8080
nate
Dave Sherohman wrote:
>
> I've been getting webcache connection attempts showing up in my logs for the
> last couple days, always from the same IP. So I got sick of it and sent him
> a nastygram and, in the process of composing it, tried telnetting to port
> 8080 on the machine in question.
>
> I connected.
>
> The only response I was able to get out of it (not knowing the appropriate
> protocol to pretend I was a cache client) was:
>
> ---
> Cache Error!
> An error of type 400 occurred: Invalid Scheme
>
> Generated by 1.3.1
> ---
>
> I'm rather disturbed by the software's failure to identify itself beyond a
> version number.
>
> `fuser -n tcp 8080` says that nobody's using the port, even when I've got a
> telnet session open to it. Neither squid nor wwwoffle is installed and
> there's no mention of port 8080 (or webcache) in my inetd, apache, or
> portsentry configs.
>
> In the process of investigating this, my server stopped accepting connections
> on port 8080, which leads me to suspect that it may have been portsentry
> accepting the connections (although it's version 1.0-1.4, not 1.3.1).
>
> Just to be safe, I've added "webcache: ALL" to hosts.deny, but I'd like to
> know who is (or was) listening there. Where should I look next when fuser
> doesn't see anything? (And are there any known exploits, trojans, etc. that
> would display these symptoms?)
>
> --
> "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
> "So does syphillis. Good thing we have penicillin." - Matthew Alton
> Geek Code 3.1: GCS d- s+: a- C++ UL++$ P+>+++ L+++>++++ E- W--(++) N+ o+
> !K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r++ y+
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
--
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to: