[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Ports safe to close?
- Subject: Re: [cobalt-security] Ports safe to close?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 28 Aug 2001 23:23:53 +0200
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Carrie,
> When running an nmap scan on one of my servers with IPChains
> installed and running, I get these open ports:
> 1080/tcp open socks
> 2000/tcp open callbook
> 2001/tcp open dc (this is digichat)
> 6667/tcp open irc
> 32771/tcp open sometimes-rpc5
> 32772/tcp open sometimes-rpc7
> 32773/tcp open sometimes-rpc9
> 32774/tcp open sometimes-rpc11
errrr ... if this is a Cobalt, then it has been hacked. Or are you running
socks and an IRC server? Also the 32XXX ports look extremely fishy.
My recommendation is to download chkrootkit from www.chkrootkit.org to your
machine. Then extract the tarball, change to the directory and type "make
sense". After that run "./chkrootkit" as user "root".
If you've been hacked, then this tool will most likely give some indications
about that fact.
If the scope's clean and this is not a Cobalt, then close 1080, 2000, 6667
and the 32XXX ports with an ipchains or iptables rule. If it's a Cobalt, then
I'd still be worried, as you wont normally see those ports in use there.
--
With best regards,
Michael Stauber
SOLARSPEED.NET