NewB needs help understanding 'netstat' output

NewB needs help understanding 'netstat' output

Post by ken kin » Tue, 14 May 2002 09:22:21



I'm fairly new at Linux, so I really don't quite know what I'm doing,
but....
Occasionally I do "netstat -tuln" just to see that things don't change,
but today this is what I got.....

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address
State
tcp        0      0 0.0.0.0:32768           0.0.0.0:*
LISTEN
----The following line (Port 515) didn't use to be there, but I've
installed a printer -- so that makes sense
tcp        0      0 0.0.0.0:515             0.0.0.0:*
LISTEN
tcp        0      0 192.168.1.1:139         0.0.0.0:*
LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*
LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*
LISTEN
tcp        0      0 0.0.0.0:6000            0.0.0.0:*
LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*
LISTEN
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 192.168.1.1:137         0.0.0.0:*
udp        0      0 0.0.0.0:137             0.0.0.0:*
udp        0      0 192.168.1.1:138         0.0.0.0:*
udp        0      0 0.0.0.0:138             0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
---The following (port 635) USED to be "0.0.0.0:628" why would it
change???
udp        0      0 0.0.0.0:635             0.0.0.0:*

(rpc.statd owns the last one and the ones on ports 32768)
Running red hat (basically default workstation install), using
masquerading for a home network (DHCP via cable). This box is also
running samba, imap, and sendmail for the internal network.  Samba &
imap are bound to the internal i/f by thier config files & tcp wrappers.
Sendmail will not relay from an outside domain. Also,  these ports are
closed to the outside i/f by firewall rules and scanning services have
confirm them closed.

I just can't think of anything I might have done to remove a service
from 628 (I'm not even smart enough to know what it was), let alone add
something to port 635 (I don't know what rpc.statd is).

Any help at understanding this?

thanks,
kk

 
 
 

NewB needs help understanding 'netstat' output

Post by r00t » Tue, 14 May 2002 15:26:15



> I'm fairly new at Linux, so I really don't quite know what I'm doing,
> but....
> Occasionally I do "netstat -tuln" just to see that things don't change,
> but today this is what I got.....

see what is available to the outside with this: netstat -pan --inet.  
it provides a better overview.

Quote:> ---The following (port 635) USED to be "0.0.0.0:628" why would it
> change???
> udp        0      0 0.0.0.0:635             0.0.0.0:*

it shouldn't have changed.  they're two different services altogether.

Quote:> (rpc.statd owns the last one and the ones on ports 32768)
> Running red hat (basically default workstation install), using
> masquerading for a home network (DHCP via cable).

disable everything you're not going to use, and pay attention to what
you have running in the background.

Quote:> I just can't think of anything I might have done to remove a service
> from 628

you likely had qmail running on that port.  do you need it?

Quote:>(I'm not even smart enough to know what it was), let alone add
> something to port 635 (I don't know what rpc.statd is).

Older versions of Linux put the NFS "rpc.mountd" service at this port.
Someone could find a backdoor through that port on older systems.
Read more here: http://www.cert.org/advisories/CA-1998-12.html

/r00t

 
 
 

NewB needs help understanding 'netstat' output

Post by ken kin » Tue, 14 May 2002 20:54:26


<snip>

Quote:> you likely had qmail running on that port.  do you need it?

No, qmail is not installed -- never used it. Is it possible some other mail
pgm may have opened it? Gnome or kde readers/clients, Netscape?

Quote:

> >(I'm not even smart enough to know what it was), let alone add
> > something to port 635 (I don't know what rpc.statd is).

> Older versions of Linux put the NFS "rpc.mountd" service at this port.
> Someone could find a backdoor through that port on older systems.
> Read more here: http://www.cert.org/advisories/CA-1998-12.html

I think Red Hat installs NFS by default -- so it should have always been
there? I starting to think maybe I've always seen 635 and I just think I saw
628???
-kk
 
 
 

NewB needs help understanding 'netstat' output

Post by r00t » Wed, 15 May 2002 00:47:13




> <snip>

> > you likely had qmail running on that port.  do you need it?

> No, qmail is not installed -- never used it.

qmail is a mail service (kinda like smtp).  the daemon would be
running in /etc/rc.d/init.d/ or someplace similar on your system.

Quote:> Is it possible some other mail pgm may have opened it? Gnome or
> kde readers/clients, Netscape?

No.  Not unless you told the mail client to specifically connect
on that port.

Quote:> > >(I'm not even smart enough to know what it was), let alone add
> > > something to port 635 (I don't know what rpc.statd is).

> > Older versions of Linux put the NFS "rpc.mountd" service at this port.
> > Someone could find a backdoor through that port on older systems.
> > Read more here: http://www.cert.org/advisories/CA-1998-12.html

> I think Red Hat installs NFS by default -- so it should have always been
> there?

rh likely installs NFS by default. that's why i recommend custom install
with only the bare essentials.  then go in and install/config what you
need manually.  takes a bit longer that way, but well worth the time.

Quote:> I starting to think maybe I've always seen 635 and I just think I saw
> 628???

Could be.  Again, look for qmail's existence on your box.
As root: find / -name qmail

Let us know what you find.

/r00t

 
 
 

NewB needs help understanding 'netstat' output

Post by ken kin » Wed, 15 May 2002 11:27:43





> > <snip>

> > > you likely had qmail running on that port.  do you need it?

> > No, qmail is not installed -- never used it.

> qmail is a mail service (kinda like smtp).  the daemon would be
> running in /etc/rc.d/init.d/ or someplace similar on your system.

I understand. I am quite certin it [qmail] has never been installed........
grep qmail /etc/xinetd.d/*
grep qmail /etc/rc.d/init.d/*
find / -name qmail*
rpm -Va | grep qmail
..............All nothing. I'm thinking Sendmail is the only MTA installed by
default?

Sendmail is the only "outside" MTA ever run on this machine (IMAP transfures
"inside(loacl)" mail --BTW IMAP is on the CDs, but I remember installing it,
i.e. not installed by default) -- I defently remember spending a about two
days configuring and testing sendmail.

Quote:

> > Is it possible some other mail pgm may have opened it? Gnome or
> > kde readers/clients, Netscape?

> No.  Not unless you told the mail client to specifically connect
> on that port.

> > > >(I'm not even smart enough to know what it was), let alone add
> > > > something to port 635 (I don't know what rpc.statd is).

> > > Older versions of Linux put the NFS "rpc.mountd" service at this port.
> > > Someone could find a backdoor through that port on older systems.
> > > Read more here: http://www.cert.org/advisories/CA-1998-12.html

> > I think Red Hat installs NFS by default -- so it should have always been
> > there?

> rh likely installs NFS by default. that's why i recommend custom install
> with only the bare essentials.  then go in and install/config what you
> need manually.  takes a bit longer that way, but well worth the time.

> > I starting to think maybe I've always seen 635 and I just think I saw
> > 628???

> Could be.  Again, look for qmail's existence on your box.
> As root: find / -name qmail

> Let us know what you find.

> /r00t

 
 
 

NewB needs help understanding 'netstat' output

Post by ken kin » Wed, 15 May 2002 12:11:58





> > <snip>

> > > you likely had qmail running on that port.  do you need it?

> > No, qmail is not installed
> -- never used it.

> qmail is a mail service (kinda like smtp).  the daemon would be
> running in /etc/rc.d/init.d/ or someplace similar on your system.

I understand. I am quite certain it qmail has never been installed........
grep qmail /etc/xinetd.d/*
grep qmail /etc/rc.d/init.d/*
find / -name qmail*
rpm -Va | grep qmail*
..............All nothing. I'm thinking Sendmail is the only MTA installed by

default?

Sendmail is the only "outside" MTA ever run on this machine (IMAP transfures
"inside(local)" mail --BTW IMAP is on the CDs, but I remember installing it,
i.e. not installed by default) -- I definitely remember spending about two
days configuring and testing sendmail.

Quote:

> rh likely installs NFS by default. that's why i recommend custom install
> with only the bare essentials.  then go in and install/config what you
> need manually.

That is difficult for a newB -- take Sendmail for example! Okay, maybe that's
not fair -- Sendmail is an extreme case. But take a firewall as an example --
easy to close a port you think you don't need and break stuff -- like DHCP or
lo (break lo and it can be heard to recover).
If you're new to an OS it can be difficult to know what is required, what
isn't -- you're kinda stuck taking the default and going from there

Quote:> takes a bit longer that way, but well worth the time.

True, but hard to do until you learn you're way around. I'm slowly learning
how each service gets started -- not to mention tcp wrappers and ipchains.

Quote:

> > I starting to think maybe I've always seen 635 and I just think I saw
> > 628???

> Could be.  Again, look for qmail's existence on your box.
> As root: find / -name qmail

I don't usually make that big a mistake, but the '628' is handwritten, so
it's possable -- but I also looked up and wrote down the port "QMQP" --- so I
know I've  looked at it several times. I'm beginning to think that's the only
explanation, I'm 'almost' sure NFS installed by default?

How can I find files created/modified after a certain date? I got really
bogged down in "man find" & "info find" -- things I tried didn't give logical
answers.

Quote:

> Let us know what you find.

> /r00t

 
 
 

NewB needs help understanding 'netstat' output

Post by ken kin » Fri, 17 May 2002 20:02:49



> I'm fairly new at Linux, so I really don't quite know what I'm doing,
> but....
> Occasionally I do "netstat -tuln" just to see that things don't change,
> but today this is what I got.....

> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State
> tcp        0      0 0.0.0.0:32768           0.0.0.0:*
> LISTEN
> ----The following line (Port 515) didn't use to be there, but I've
> installed a printer -- so that makes sense
> tcp        0      0 0.0.0.0:515             0.0.0.0:*
> LISTEN
> tcp        0      0 192.168.1.1:139         0.0.0.0:*
> LISTEN
> tcp        0      0 0.0.0.0:143             0.0.0.0:*
> LISTEN
> tcp        0      0 0.0.0.0:111             0.0.0.0:*
> LISTEN
> tcp        0      0 0.0.0.0:6000            0.0.0.0:*
> LISTEN
> tcp        0      0 0.0.0.0:25              0.0.0.0:*
> LISTEN
> udp        0      0 0.0.0.0:32768           0.0.0.0:*
> udp        0      0 192.168.1.1:137         0.0.0.0:*
> udp        0      0 0.0.0.0:137             0.0.0.0:*
> udp        0      0 192.168.1.1:138         0.0.0.0:*
> udp        0      0 0.0.0.0:138             0.0.0.0:*
> udp        0      0 0.0.0.0:111             0.0.0.0:*
> ---The following (port 635) USED to be "0.0.0.0:628" why would it
> change???
> udp        0      0 0.0.0.0:635             0.0.0.0:*

This morning the last line is port 636! I know I'm not dreaming because I
created a cron job to do netstat -tulnp each night and email me the diff
from the day before.

--kk

 
 
 

NewB needs help understanding 'netstat' output

Post by RainbowHa » Sat, 18 May 2002 19:22:50


< ken king

8< (Summary: `netstat -tuln`, not related ports 25 137 138 139 515 6000)

Quote:>> Proto Recv-Q Send-Q Local Address           Foreign Address State
>> tcp        0      0 0.0.0.0:32768           0.0.0.0:* LISTEN
>> tcp        0      0 0.0.0.0:111             0.0.0.0:* LISTEN
>> udp        0      0 0.0.0.0:32768           0.0.0.0:*
>> udp        0      0 0.0.0.0:111             0.0.0.0:*
>> ---The following (port 635) USED to be "0.0.0.0:628" why would it
>> change???
>> udp        0      0 0.0.0.0:635             0.0.0.0:*

>This morning the last line is port 636! I know I'm not dreaming because I
>created a cron job to do netstat -tulnp each night and email me the diff
>from the day before.

You should protect above ports from outside, local only. If you are
not familiar with RPC, to uninstall is good for security.

rpc.mountd 100005 ---[portmap]--- 635
rpc.mountd 100005 ---[portmap]--- 638
rpc.mountd 100005 ---[portmap]--- 636

/sbin/portmap
/usr/sbin/rpcinfo
/usr/sbin/showmount

http://www.robertgraham.com/pubs/firewall-seen.html
|   635 mountd Linux mountd bug...
|   Note that mountd can run at any port (for which you must first do a
|             ~~~~~~~~~~~~~~~~~~~~~~~~~~
|   portmap lookup at port 111), it's just that Linux defaulted to port
|   *******~~~~~~~~~~~~~~~~~~~
|   635 in much the same way that NFS universally runs at port 2049...
|   Sun starting their RPC ports at 32768...

http://www.robertgraham.com/pubs/network-intrusion-detection.html
|rpcinfo
|~~~~~~~
|   finds out what RPC services are running

http://www.robertgraham.com/pubs/hacking-dict.html
|   For example, the rpc.mountd RPC program is assigned the
|   well-known program number of 100005. When it starts up, it
|                                ~~~~~~
|   might obtain the port number like 635.
|                                ~~~~~~~~
|showmount [3]
|   Key point: This command used the rpc.mountd protocol (RPC
|   program number 100005). On most systems, these commands do not
|                                                           ^^^^^^
|   require authentication, which means that anybody can run them.
|   ^^^^^^^^^^^^^^^^^^^^^^                   ^^^^^^^^^^^^^^^

--
Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7