On Thursday 21 June 2001 03:41 pm, you wrote:
> On Thu, 21 Jun 2001, G. T. Francisco, III wrote:
> ..
>
> > > 32777/tcp open sometimes-rpc17
> > > 32779/tcp open sometimes-rpc21
> > > ..
> > >
> > > what are these ports? please God don't tell me I've been rootkitted
> > > AGAIN. I was running an old and vulnerable ProFTPd for a while.
> >
> > If this is a solaris box, then it may be rpc.walld. Did you try the
> > usual "netstat -anp"
>
> its linux...
I believe on the default RedHat 7.1 distro, the rpc services are
automatically started. These use typically the ports mentioned above.
The "netstat -anp" command should work as well, you may want to use "netstat
-anpe" for a more detailed list. I believe those ports are typically used
for rpc.
While the rpc services are more secure than they used to be, if you aren't
using them (i.e. - nfs, etc...) you may want to turn them off. A cert
advisory on the rpc.statd indicates that processes may be started on your
system if you have a vulnerable rpc.statd with the access rights of the owner
of rpc.statd. This is typically root. If you are using nfs, you may want
to block port 111 used by portmap and the rpc port on which your rpc.statd is
running at your firewall.
Check out cert advisory CA-2000-17 input validation problem in rpc.statd.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
