Very Computer

i've got the following:

from netstat -an on a RedHat 6.0 Linux system:

tcp         0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN
udp        0      0 127.0.0.1:2364        0.0.0.0:*

does anyone know what these 2 ports could be using?

netbus uses 12345 by default, however some IRC servers do too.  i can't find
anything on UDP 2364.

the system does masquerading as well, but these don't appear in the
netstat -nM list of active connections.

i checked CERT, and other security sites...couldn't find more that the stuff
about netbus and irc.

thanks in advance,

-matt

(please remove the "WRITE." from my return address before mailing.)

as far as the 12345, it's quite possibly a trojan. the way to find out
both is to use lsof, list open files

ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

if you can see that in your netstat..then i wouldn't be too
concerned...as he is probably an immature

Quote:> i've got the following:

> from netstat -an on a RedHat 6.0 Linux system:

> tcp         0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN
> udp        0      0 127.0.0.1:2364        0.0.0.0:*

> does anyone know what these 2 ports could be using?

> netbus uses 12345 by default, however some IRC servers do too.  i can't find
> anything on UDP 2364.

> the system does masquerading as well, but these don't appear in the
> netstat -nM list of active connections.

> i checked CERT, and other security sites...couldn't find more that the stuff
> about netbus and irc.

> thanks in advance,

> -matt

> (please remove the "WRITE." from my return address before mailing.)

--
  .~.  ~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~
  /V\                     KeyId  1024D/2AB39B99
 // \\       20B5 BE61 3E0D 81C2 E065  94FF 8856 90A2 2AB3 9B99
/(   )\   Call me insane one more time and I'll eat your other eye!
 ^`~'^   '~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'~'

On Tue, 1 Feb 2000 00:49:00 GMT, "Matthew Glogowski"

comp.os.linux.security :

Quote:>i've got the following:

>from netstat -an on a RedHat 6.0 Linux system:

>tcp         0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN

Nothing is listed on the RFC

Quote:>udp        0      0 127.0.0.1:2364        0.0.0.0:*

nothing listed

Quote:>does anyone know what these 2 ports could be using?

Any port >1024 is free realm.  Anything could be using it.

--
Bill "Houdini" Weiss

--
Hacker`s thought ?
My computer is my Heaven,
Real life is my Hell

Try

fuser -n tcp 12345
fuser -n udp 2364

to get the process id of who's listening on those ports.

BTW 12345 is netbus (popular win remote administration tool).

Bye,
Alberto
--
Alberto BARSELLA
PGP fingerprint = 13 3F 22 D2 0B 0A D3 25  F1 89 FE B5 82 AD 75 2A
** Beliefs are dangerous. Beliefs allow the mind to stop functioning.
A non-functioning mind is clinically dead.  Believe in nothing... **

On Tue, 1 Feb 2000 00:49:00 GMT, Matthew Glogowski

Do you have some kind of port sentry software running?

Joe

Try netstat -aenp , it will list all the ports open and the programs
associated with the port

Guy

Quote:> i've got the following:

> from netstat -an on a RedHat 6.0 Linux system:

> tcp         0      0 0.0.0.0:12345           0.0.0.0:*
LISTEN
> udp        0      0 127.0.0.1:2364        0.0.0.0:*

> does anyone know what these 2 ports could be using?

> netbus uses 12345 by default, however some IRC servers do too.  i can't
find
> anything on UDP 2364.

> the system does masquerading as well, but these don't appear in the
> netstat -nM list of active connections.

> i checked CERT, and other security sites...couldn't find more that the
stuff
> about netbus and irc.

> thanks in advance,

> -matt

> (please remove the "WRITE." from my return address before mailing.)

I issued the fuser commands.  The result was that:

port 12345 is for ssl_cache
port 2364 was being used by Samba (smbd -D)

i suppose these could be trojaned.

i'm using redhat webserver 2.x software with SSL so that seems to be valid.
i don't know about why samba would be using 2364/udp???

-matt