Re: t0rn v8
Stephen Gran wrote:-
> Sorry, bad form to have to reply rather than include the info in th
> original message, but hindsight and all that. A few things I have
> done to try to see if t0rn is in fact present:
> lsof|grep LISTEN:
> portmap 273 root 4u IPv4 303 TCP *:sunrpc (LISTEN)
> rpc.statd 277 root 5u IPv4 418 TCP *:32768 (LISTEN)
> inetd 286 root 6u IPv4 424 TCP *:smtp (LISTEN)
> inetd 286 root 7u IPv4 425 TCP *:auth (LISTEN)
> cupsd 289 root 0u IPv4 692 TCP *:ipp (LISTEN)
> sshd 306 root 3u IPv4 566 TCP *:ssh (LISTEN)
> Sorry about the bad wrap ; )
>
> and lsof|grep -i t0rn:
> No results.
>
> nmap localhost:
> Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
> Interesting ports on localhost (127.0.0.1):
> (The 1544 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp open ssh
> 25/tcp open smtp
> 111/tcp open sunrpc
> 113/tcp open auth
> 631/tcp open cups
But what about to external hosts? Are they open or closed by your
firewall?
I'd be particularly concerned about sunrps and cups, and only allow
access to and from specific IP addresses. If they are visible
externally, you should investigate further. If you don't already, I'd
suggest you run one of those scripts that filters and mails your logs
to you every 1 hour or so. Reducing the background noise from
legitimate stuff is the most tedious thing there though.
For my machine I have:
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost (127.0.0.1):
(The 1540 ports scanned but not shown below are in state: closed)
Port State Service
13/tcp open daytime
22/tcp open ssh
25/tcp open smtp
37/tcp open time
110/tcp open pop-3
139/tcp open netbios-ssn
631/tcp open cups
2401/tcp open cvspserver
22273/tcp open wnn6
but only SSH and SMTP are visible outside my LAN (as verified by
various firewall testing web sites).
Neil.
Reply to:
- References:
- t0rn v8
- From: Stephen Gran <gashuffer09@home.com>
- Re: t0rn v8
- From: Stephen Gran <gashuffer09@home.com>