Re: BackOrifice on Linux?
on Wed, Jan 29, 2003 at 10:15:23AM -0600, Kent West (westk@acu.edu) wrote:
> Rob Weir wrote:
> >On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote:
> >
> >>I just ran the command "sudo nmap -sT -sU localhost" which listed the
> >>following:
> >>12345/tcp open NetBus
> >>12346/tcp open NetBus
> >>27665/tcp open Trinoo_Master
> >>31335/udp open Trinoo_Register
> >>Should I be concerned, or is this maybe part of portsentry or something
> >>similar?
> Looks like it may just be part of portsentry. Thanks!
>
> >westek[westk]:/home/westk> sudo netstat -ntuple
> >Active Internet connections (only servers)
> >Proto Recv-Q Send-Q Local Address Foreign Address
> >State User Inode PID/Program name
> >tcp 0 0 0.0.0.0:1 0.0.0.0:*
> >LISTEN 0 2168 701/portsentry
> >tcp 0 0 0.0.0.0:20034 0.0.0.0:*
> >LISTEN 0 2201 701/portsentry
> >tcp 0 0 0.0.0.0:32771 0.0.0.0:*
One of the annoying aspects of portsentry is that it opens the ports it
listens on. This can lead to false-positive alerts when scanning your
own systems.
Snort is another package which detects traffic on ports but doesn't open
them. I'd recommend it as an alternative.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
The Amazon "one-click" patent boycott -- yes, it continues:
http://www.fsf.org/philosophy/amazon.html#whyContinue
Reply to: