Very Computer

Hey everyone,

    First, I've been lurking on this group for some time and just wanted to
say hi and thanks for all of the knowledge that I've gleaned from this NG.
Second, I wanted to relay a funny story that happened to me.  Ok, so I'll be
the first to admit that I'm not the most knowledgable person when it comes
to complex firewall systems - most of the stuff I do involves either VERY
lax or VERY strict security, which are both pretty easy to set up.  On my
home network, I am running various services on various ports on various
machines, so port mapping and route tables are a bit more complex.  After I
had everything set up, I began to test it.  Those of you "in the know" will
probably begin to see where this is going when I mention the fact that I was
running portsentry on the box being tested.  nmap -sT localhost returned a
SHITLOAD of open ports, including 31337.  I called both of my roommates who
were at work and DEMANDED to know what the hell they had been doing on that
*ing box the night before.  Both of them freaked out when I told them the
port number.  After I had them both pretty nervous, I decided to hit deja
and try to figure out exactly *which* one of them I should beat.  After the
first few posts, I realized my folly, disabled portsentry and re-scanned.
Lesson learned: Don't freak until AFTER you've had enough coffee to wake up
and properly research a problem.

Mark

What would bother me personally is the fact that both roommates reacted
nervous ;)

Quote:> Hey everyone,

>     First, I've been lurking on this group for some time and just wanted
to
> say hi and thanks for all of the knowledge that I've gleaned from this NG.
> Second, I wanted to relay a funny story that happened to me.  Ok, so I'll
be
> the first to admit that I'm not the most knowledgable person when it comes
> to complex firewall systems - most of the stuff I do involves either VERY
> lax or VERY strict security, which are both pretty easy to set up.  On my
> home network, I am running various services on various ports on various
> machines, so port mapping and route tables are a bit more complex.  After
I
> had everything set up, I began to test it.  Those of you "in the know"
will
> probably begin to see where this is going when I mention the fact that I
was
> running portsentry on the box being tested.  nmap -sT localhost returned a
> SHITLOAD of open ports, including 31337.  I called both of my roommates
who
> were at work and DEMANDED to know what the hell they had been doing on
that
> *ing box the night before.  Both of them freaked out when I told them
the
> port number.  After I had them both pretty nervous, I decided to hit deja
> and try to figure out exactly *which* one of them I should beat.  After
the
> first few posts, I realized my folly, disabled portsentry and re-scanned.
> Lesson learned: Don't freak until AFTER you've had enough coffee to wake
up
> and properly research a problem.

> Mark

On Sun, 26 Aug 2001 01:14:01 -0500, "flat1ine"

OK, maybe I'm a little dense here.  You discovered a machine listening
on port 31337.  Unless I'm missing something you have a machine that
has been trojaned with BackOrifice.  I'd still want to know what my
roommates had been doing that allowed the trojan in.

This is very different that being scanned for something listening on
port 31337 (I see that in my firewall logs all the time.)

Am I confused here?

Later,
Bob

On Mon, 27 Aug 2001 22:55:37 -0500, Robert Berry

It was *portsentry* listening. That's how it works.

--
Hal B




--

ermmm ... yep & yep ... you missed something.  Read the whole post.

--
Regards
Luke
------
Q:  What does FAQ stand for?
A:  We are Frequently Asked this Question, and we have no idea.
------
C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html
------
PLEASE NOTE: Spamgard (tm) installed.

------

No. Mine listens on 31337 - and it is only FakeBO.

--
2.4.5 in drivers/nubus/nubus.c:
  (777): Bwahahahaha...
  (782): Even more evil laughter...

Quote:> OK, maybe I'm a little dense here.  You discovered a machine listening
> on port 31337.

The part you missed was the OP was running Portsentry, which
listens for connections (appears open from outside) on port 31337
when using the -tcp command line switch.

This topic comes up every 2-3 weeks on this NG, it's
a FAQ candidate.

DoT

Quote:

>     First, I've been lurking on this group for some time and just wanted
to
> say hi and thanks for all of the knowledge that I've gleaned from this NG.
> Second, I wanted to relay a funny story that happened to me.  Ok, so I'll
be
> the first to admit that I'm not the most knowledgable person when it comes
> to complex firewall systems - most of the stuff I do involves either VERY
> lax or VERY strict security, which are both pretty easy to set up.  On my
> home network, I am running various services on various ports on various
> machines, so port mapping and route tables are a bit more complex.  After
I
> had everything set up, I began to test it.  Those of you "in the know"
will
> probably begin to see where this is going when I mention the fact that I
was
> running portsentry on the box being tested.  nmap -sT localhost returned a
> SHITLOAD of open ports, including 31337.  I called both of my roommates
who
> were at work and DEMANDED to know what the hell they had been doing on
that
> *ing box the night before.  Both of them freaked out when I told them
the
> port number.  After I had them both pretty nervous, I decided to hit deja
> and try to figure out exactly *which* one of them I should beat.  After
the
> first few posts, I realized my folly, disabled portsentry and re-scanned.
> Lesson learned: Don't freak until AFTER you've had enough coffee to wake
up
> and properly research a problem.

If you run Portsentry in it's Native mode, your ports being listened to will
be binded.  Therefor port 31337 will show up and show up on a scan.  I run
my portsentry in stcp, and sudp (Stealth) mode, so they don't show up.

BTW, I have a story pretty similar to yours, and this is how I discovered
the very awesome use of the other portsentry options. :)

CV-64