Re: port scare

[Dave Sherohman <esper@sherohman.org>]

On Sun, Feb 18, 2001 at 10:32:58AM -0500, Glenn Becker wrote:
> What the hell *are* these things and how did they suddenly blast open
> after I had shut down all but three? I have changed nothing - and when I
> check inetd.conf and the other directories I edited, they are still the
> same. Ex: I commented out finger ages ago ... it's still commented out and
> yet now there's an open port.

Well, either

a)  You've been cracked in a big way

or 

b)  You're running portsentry

I suspect that b is the more likely case.  portsentry works by listening on
otherwise unused ports and reporting any attempts to connect to them as
potential attacks.  If you use it and you want to run a meaningful portscan
on your box, you should shut down portsentry while performing the scan.  (One
of the sysadmins at my last job got an nmap result like that back and just
about had a heart attack.  Then, after half an hour of trying to figure out
how the box had been cracked, he remembered portsentry...)

-- 
SGI products are used to create the 'Bugs' that entertain us in theatres
and at home. - SGI job posting
Geek Code 3.1:  GCS d? s+: a- C++ UL++$ P++>+++ L+++>++++ E- W--(++) N+ o+
!K w---$ O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv b+ DI++++ D G e* h+ r y+