Re: Port 699 listening

Wed, 14 Dec 2005 21:13:32 -0800 

> See interspersed comments below.

My replies interspersed

>
> Quoting Alex Pankratz <[EMAIL PROTECTED]>:
> > My apologies in advance if this is the wrong place to ask this, this
> > is my first time asking for help..
> >
> > What is running on port 699? I only have squid, ssh, and dhcpd
> > listening on my 2 internal interfaces, but nothing on my external one
> > (XXX.XXX.XXX.XXX below)
> >
> > I just ran nmap, and it returned:
> > Discovered open port 699/tcp on XXX.XXX.XXX.XXX
> > Discovered open port 111/tcp on XXX.XXX.XXX.XXX
> >
> > And netstat shows:
> > netstat -na | grep 699
> > tcp        0      0 0.0.0.0:699             0.0.0.0:*               LISTEN
> >
>
> Try: lsof -i4 -P | grep 699

rpc.statd  1789        root    6u  IPv4    2165       TCP *:699 (LISTEN)

> > I ran chkrootkit and it returned nothing
> >
> > Google tells me:
> > #                          Thomas Clausen <[EMAIL PROTECTED]>
> > accessnetwork   699/tcp    Access Network
> > accessnetwork   699/udp    Access Network
> >
> > - What is "Access Network"?
> > - How can I get RPC to not listen on port 111 at all?
>
> apt-get --purge remove portmap

Did, and that made both 111 and 699 not show up in nmap scan. sweet,
thanks Jeffery. I could swear that in the past I saw 111 open and I
sort of ignored it, why would 699 be open now, and then closed? why is
statd running, i dont use NFS.

On a possibly related note, snort is showing me a ton of "SCAN FIN"
messages from the same IP, just recently.

Also on a possibly related note, could that be the reason why snort is
also showing me "(portscan) TCP Portsweep" originating from my
external interface?

>
> or
>
> invoke-rc.d portmap stop
>
> > - Do the 0.0.0.0 results for netstat mean all (3) of my ethernet
> > interfaces listen for those ports?
>
> Yes, 0.0.0.0 means all interfaces.
> >
> > This is a Debian Linux 2.4.27-2-386, and it's been updated/upgraded as
> > much as possible, except for the recent kernel update just released.
> >
> > Your help is appreciated,
> >
> > Alex
> >
>
> HTH,
>   Jeffrey
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>

Reply via email to