From: Andrea B. <and...@dl...> - 2003-03-25 10:09:49
|
Hi=20 =09I have installed devil-linux 0.5=20 =09I have configurated named and squid. =09Named listens (netstat report) on=20 =09=09udp 0 0 :::32769 :::* = 1369/named =09and squid on =09=09udp 0 0 0.0.0.0:32770 0.0.0.0:* = 1383/(squid) =09 =09I test the same configuration on Mandrake 9.0 and they don't listen on= that port. =09 =09Can be a troianized version?? Thanks andrea =09 =09 |
From: Jet \(<jc...@tr...> - 2003-03-25 10:37:05
|
I'm not sure about Squid. For named, this is normal. To get rid of it , add the following to your named.conf query-source address * port 53; // or any orther port number BTW, it is not recommeded for some security reasons. - Jet ----- Original Message ----- From: "Andrea Bolzonella" <and...@dl...> To: <dev...@li...> Sent: Tuesday, March 25, 2003 01:36 Subject: [Devil-Linux-discuss] Troianized Version???? Hi I have installed devil-linux 0.5 I have configurated named and squid. Named listens (netstat report) on udp 0 0 :::32769 :::* 1369/named and squid on udp 0 0 0.0.0.0:32770 0.0.0.0:* 1383/(squid) I test the same configuration on Mandrake 9.0 and they don't listen on that port. Can be a troianized version?? Thanks andrea ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Devil-linux-discuss mailing list Dev...@li... https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss *********************************************************************** This message is intended only for the use of the intended recipient and may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you are not the intended recipient, you are hereby notified that any use, dissemination, disclosure or copying of this communication is strictly prohibited. If you have received this communication in error, please destroy all copies of this message and its attachments and notify us immediately. *********************************************************************** |
From: Friedrich L. <fl...@fl...> - 2003-03-25 18:20:46
|
Andrea Bolzonella wrote: > Hi > I have installed devil-linux 0.5 > I have configurated named and squid. > Named listens (netstat report) on > udp 0 0 :::32769 :::* 1369/named > and squid on > udp 0 0 0.0.0.0:32770 0.0.0.0:* 1383/(squid) > > I test the same configuration on Mandrake 9.0 and they don't listen on that port. > > Can be a troianized version?? Can you please check like the way I show you now? # cd /tmp # wget ftp://ftp.fl.priv.at/pub/devil-linux/0.5/patch/base/LSOF.tar.bz2 --19:16:51-- ftp://ftp.fl.priv.at/pub/devil-linux/0.5/patch/base/LSOF.tar.bz2 => `LSOF.tar.bz2' Resolving ftp.fl.priv.at... done. Connecting to ftp.fl.priv.at[193.154.221.15]:21... connected. Logging in as anonymous ... Logged in! ==> SYST ... done. ==> PWD ... done. ==> TYPE I ... done. ==> CWD /pub/devil-linux/0.5/patch/base ... done. ==> PORT ... done. ==> RETR LSOF.tar.bz2 ... done. Length: 39,393 (unauthoritative) 100%[==================================================================================================>] 39,393 2.21M/s ETA 00:00 19:16:51 (2.21 MB/s) - `LSOF.tar.bz2' saved [39393] # tar -C / -xjf LSOF.tar.bz2 # netstat -un Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 10.2.1.254:32773 10.2.1.98:514 ESTABLISHED # lsof -P -n -i :32773 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME syslog-ng 664 root 4u IPv4 381288 UDP 10.2.1.254:32773->10.2.1.98:514 -- MfG / Regards Friedrich Lobenstock ____________________________________________________________________ Friedrich Lobenstock FL226-RIPE Internetservices URL: http://www.fl.priv.at/ Email: fl...@fl... ____________________________________________________________________ |
From: Jet \(<jc...@tr...> - 2003-03-26 03:25:00
|
Normally, I would just simply "netstat -atunp" and it will show me the pid+process that listen on TCP+UDP port number. I'll use lsof if I suspect netstat is been compromized. - Jet ----- Original Message ----- From: "Friedrich Lobenstock" <fl...@fl...> To: <dev...@li...> Sent: Wednesday, March 26, 2003 02:20 Subject: Re: [Devil-Linux-discuss] Troianized Version???? > Andrea Bolzonella wrote: > > Hi > > I have installed devil-linux 0.5 > > I have configurated named and squid. > > Named listens (netstat report) on > > udp 0 0 :::32769 :::* 1369/named > > and squid on > > udp 0 0 0.0.0.0:32770 0.0.0.0:* 1383/(squid) > > > > I test the same configuration on Mandrake 9.0 and they don't listen on that port. > > > > Can be a troianized version?? > > Can you please check like the way I show you now? > > # cd /tmp > # wget ftp://ftp.fl.priv.at/pub/devil-linux/0.5/patch/base/LSOF.tar.bz2 > --19:16:51-- ftp://ftp.fl.priv.at/pub/devil-linux/0.5/patch/base/LSOF.tar.bz2 > => `LSOF.tar.bz2' > Resolving ftp.fl.priv.at... done. > Connecting to ftp.fl.priv.at[193.154.221.15]:21... connected. > Logging in as anonymous ... Logged in! > ==> SYST ... done. ==> PWD ... done. > ==> TYPE I ... done. ==> CWD /pub/devil-linux/0.5/patch/base ... done. > ==> PORT ... done. ==> RETR LSOF.tar.bz2 ... done. > Length: 39,393 (unauthoritative) > > 100%[======================================================================= ===========================>] 39,393 2.21M/s ETA 00:00 > > 19:16:51 (2.21 MB/s) - `LSOF.tar.bz2' saved [39393] > > # tar -C / -xjf LSOF.tar.bz2 > > # netstat -un > Active Internet connections (w/o servers) > Proto Recv-Q Send-Q Local Address Foreign Address State > udp 0 0 10.2.1.254:32773 10.2.1.98:514 ESTABLISHED > > # lsof -P -n -i :32773 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > syslog-ng 664 root 4u IPv4 381288 UDP 10.2.1.254:32773->10.2.1.98:514 > > -- > MfG / Regards > Friedrich Lobenstock > ____________________________________________________________________ > Friedrich Lobenstock FL226-RIPE Internetservices > URL: http://www.fl.priv.at/ Email: fl...@fl... > ____________________________________________________________________ > > > > ------------------------------------------------------- > This SF.net email is sponsored by: > The Definitive IT and Networking Event. Be There! > NetWorld+Interop Las Vegas 2003 -- Register today! > http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss > > *********************************************************************** > This message is intended only for the use of the intended recipient and > may contain information that is PRIVILEGED and/or CONFIDENTIAL. If you > are not the intended recipient, you are hereby notified that any use, > dissemination, disclosure or copying of this communication is strictly > prohibited. If you have received this communication in error, please > destroy all copies of this message and its attachments and notify us > immediately. > *********************************************************************** > > > |
From: Andrea B. <and...@dl...> - 2003-03-26 09:18:48
|
> Can you please check like the way I show you now? netstat -alnp : cp 0 0 XXX.XXX.XXX.XXX:8080 0.0.0.0:* LIS= TEN 1383/(squid) tcp 0 0 XXX.XXX.XXX.XXX:53 0.0.0.0:* LIS= TEN 1369/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTE= N 1369/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTE= N 1369/named tcp 0 0 :::22 :::* LISTE= N 1385/sshd tcp 0 0 ::ffff:XXX.XXX.XXX.XXX:22 ::ffff:XXX.XXX.XXX.XXX:3277= 6 ESTABLISHED 1476/sshd udp 0 0 XXX.XXX.XXX.XXX:32768 XXX.XXX.XXX.XXX:514 ES= TABLISHED 551/syslog-ng udp 0 0 0.0.0.0:32770 0.0.0.0:* = 1383/(squid) <---- LOOK HERE udp 0 0 XXX.XXX.XXX.XXX:53 0.0.0.0:* = 1369/named udp 0 0 127.0.0.1:53 0.0.0.0:* = 1369/named udp 0 0 XXX.XXX.XXX.XXX:123 0.0.0.0:* = 1395/ntpd udp 0 0 XXX.XXX.XXX.XXX:123 0.0.0.0:* = 1395/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* = 1395/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* = 1395/ntpd udp 65356 0 :::32769 :::* = 1369/named <---- LOOK HERE ** **As u can see There is 65356 in Recv-Q. I opened a connection and I wri= te some data, but no one has read it from kernel buffer. Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node PID/Program name= Path unix 3 [ ] DGRAM 5506 551/syslog-ng = /jail/ISC_BIND/dev/log unix 5 [ ] DGRAM 5508 551/syslog-ng = /dev/log unix 2 [ ] DGRAM 6042 1395/ntpd unix 2 [ ] DGRAM 5772 1383/(squid) unix 2 [ ] DGRAM 5759 1376/squid unix 2 [ ] DGRAM 5518 1369/named unix 2 [ ] DGRAM 4687 554/klogd --------> netstat -alnp END lsof -P -n -i :32769 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME named 1369 root 8u IPv6 5528 UDP *:32769 named 1370 root 8u IPv6 5528 UDP *:32769 named 1371 root 8u IPv6 5528 UDP *:32769 named 1372 root 8u IPv6 5528 UDP *:32769 named 1373 root 8u IPv6 5528 UDP *:32769 lsof -P -n -i :32770 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME squid 1383 root 5u IPv4 5773 UDP *:32770 I hope this can help u! Thanks Andrea |