Re: port 16001 and 111
Tom Cook écrivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. So my solution is just to provide a mini-daemon allowing connecting and so tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to use netstat so I gave an example with netstat, but you can use lsof instead off course! :) Cheers, J.C. msg07566/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
On Monday 28 October 2002 11:59 pm, Jean Christophe ANDRÉ wrote: Tom Cook écrivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. So my solution is just to provide a mini-daemon allowing connecting and so tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to use netstat so I gave an example with netstat, but you can use lsof instead off course! :) Cheers, J.C. way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Hi, ben écrivait : way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. Please read the full thread before posting (or even only the first post). He actually *is* asking for tracking the *internal* process trying to connect *localy* to its port 111. He knows about such attempts because he had filtered them. But he can't guess which process attempt to connect to it. And he just *want* to know. Tracking connection attempts *is* part of security, since it allow you to know how things work, and better tune it once you understand it. Regards, J.C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote: Hi, ben écrivait : way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. Please read the full thread before posting (or even only the first post). He actually *is* asking for tracking the *internal* process trying to connect *localy* to its port 111. He knows about such attempts because he had filtered them. But he can't guess which process attempt to connect to it. And he just *want* to know. Tracking connection attempts *is* part of security, since it allow you to know how things work, and better tune it once you understand it. you're missing the point. running a portmap daemon is the only vulnerability that the 111 port scans are attempting to exploit. that attempted exploit is part of the weather of being hooked up, in the same way that 25 is attempted to be used as a mail relay. there are--to the best of my knowledge--no internal apps or daemons that will cause the fashion of log alarm that the op is concerned to address. you're assuming that internal apps attempt external connections. for that to be a possibility, you'd have to have a mighty weird local setup. if you, or anybody, can give me a real example to justify your hypothesis, please do. ben -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
On 0, Jean Christophe ANDR? [EMAIL PROTECTED] wrote: Tom Cook ?crivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. Ah I understand now... Tom -- Tom Cook Information Technology Services, The University of Adelaide Not to limit itself to play in a sand vat. - Google translation of, not to be stuck in a sandbox. Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au msg07570/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
Tom Cook écrivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. So my solution is just to provide a mini-daemon allowing connecting and so tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to use netstat so I gave an example with netstat, but you can use lsof instead off course! :) Cheers, J.C. pgpnu6o5ILSxH.pgp Description: PGP signature
Re: port 16001 and 111
On Monday 28 October 2002 11:59 pm, Jean Christophe ANDRÉ wrote: Tom Cook écrivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. So my solution is just to provide a mini-daemon allowing connecting and so tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to use netstat so I gave an example with netstat, but you can use lsof instead off course! :) Cheers, J.C. way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. ben
Re: port 16001 and 111
Hi, ben écrivait : way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. Please read the full thread before posting (or even only the first post). He actually *is* asking for tracking the *internal* process trying to connect *localy* to its port 111. He knows about such attempts because he had filtered them. But he can't guess which process attempt to connect to it. And he just *want* to know. Tracking connection attempts *is* part of security, since it allow you to know how things work, and better tune it once you understand it. Regards, J.C.
Re: port 16001 and 111
On Tuesday 29 October 2002 01:02 am, Jean Christophe ANDRÉ wrote: Hi, ben écrivait : way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. Please read the full thread before posting (or even only the first post). He actually *is* asking for tracking the *internal* process trying to connect *localy* to its port 111. He knows about such attempts because he had filtered them. But he can't guess which process attempt to connect to it. And he just *want* to know. Tracking connection attempts *is* part of security, since it allow you to know how things work, and better tune it once you understand it. you're missing the point. running a portmap daemon is the only vulnerability that the 111 port scans are attempting to exploit. that attempted exploit is part of the weather of being hooked up, in the same way that 25 is attempted to be used as a mail relay. there are--to the best of my knowledge--no internal apps or daemons that will cause the fashion of log alarm that the op is concerned to address. you're assuming that internal apps attempt external connections. for that to be a possibility, you'd have to have a mighty weird local setup. if you, or anybody, can give me a real example to justify your hypothesis, please do. ben
Re: port 16001 and 111
On 0, Jean Christophe ANDR? [EMAIL PROTECTED] wrote: Tom Cook ?crivait : What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? Nothing wrong with it! :) It tells you precisely what's attempting to connect... Yes, except in his case there is no connection since there is no installed daemon on this port, only some connection attempts he is trying to track. Ah I understand now... Tom -- Tom Cook Information Technology Services, The University of Adelaide Not to limit itself to play in a sand vat. - Google translation of, not to be stuck in a sandbox. Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au pgpqIasj8hCS7.pgp Description: PGP signature
Re: port 16001 and 111
Jean Christophe ANDRÉ [EMAIL PROTECTED] wrote: You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? Jussi Ekholm écrivait : Yup, but what? I suggest you to make a little program listening that port and spying what is trying to connect to it. You may do something like that (needs apt-get install netcat) : - create a little script /root/spy.sh (just use netstat) : #!/bin/sh ( echo = date netstat -lnp ) /root/spy.txt # yes, I know, there is no lock managment, but hey! just for testing! :) - lauch a netcat in a terminal (or screen) : nc -l -p 111-e /root/spy.sh # for TCP connection nc -l -p 111 -u -e /root/spy.sh # for UDP connection - open the 111 access : iptables -I INPUT -i lo -p tcp --dport 111 -j ACCEPT iptables -I INPUT -i lo -p udp --dport 111 -j ACCEPT - then wait and check the /root/spy.txt : tail -f /root/spy.txt There is some other (better) way of doing this (by programming), but this one is the easier I can think by know... :) Cheers, J.C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
On 0, Jean Christophe ANDR? [EMAIL PROTECTED] wrote: [snip] You may do something like that (needs apt-get install netcat) : - create a little script /root/spy.sh (just use netstat) : #!/bin/sh ( echo = date netstat -lnp ) /root/spy.txt # yes, I know, there is no lock managment, but hey! just for testing! :) - lauch a netcat in a terminal (or screen) : nc -l -p 111-e /root/spy.sh # for TCP connection nc -l -p 111 -u -e /root/spy.sh # for UDP connection - open the 111 access : iptables -I INPUT -i lo -p tcp --dport 111 -j ACCEPT iptables -I INPUT -i lo -p udp --dport 111 -j ACCEPT - then wait and check the /root/spy.txt : tail -f /root/spy.txt There is some other (better) way of doing this (by programming), but this one is the easier I can think by know... :) What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? It tells you precisely what's attempting to connect... Tom -- Tom Cook Information Technology Services, The University of Adelaide Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup. Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au msg07551/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
Jean Christophe ANDRÉ [EMAIL PROTECTED] wrote: You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? Jussi Ekholm écrivait : Yup, but what? I suggest you to make a little program listening that port and spying what is trying to connect to it. You may do something like that (needs apt-get install netcat) : - create a little script /root/spy.sh (just use netstat) : #!/bin/sh ( echo = date netstat -lnp ) /root/spy.txt # yes, I know, there is no lock managment, but hey! just for testing! :) - lauch a netcat in a terminal (or screen) : nc -l -p 111-e /root/spy.sh # for TCP connection nc -l -p 111 -u -e /root/spy.sh # for UDP connection - open the 111 access : iptables -I INPUT -i lo -p tcp --dport 111 -j ACCEPT iptables -I INPUT -i lo -p udp --dport 111 -j ACCEPT - then wait and check the /root/spy.txt : tail -f /root/spy.txt There is some other (better) way of doing this (by programming), but this one is the easier I can think by know... :) Cheers, J.C.
Re: port 16001 and 111
On 0, Jean Christophe ANDR? [EMAIL PROTECTED] wrote: [snip] You may do something like that (needs apt-get install netcat) : - create a little script /root/spy.sh (just use netstat) : #!/bin/sh ( echo = date netstat -lnp ) /root/spy.txt # yes, I know, there is no lock managment, but hey! just for testing! :) - lauch a netcat in a terminal (or screen) : nc -l -p 111-e /root/spy.sh # for TCP connection nc -l -p 111 -u -e /root/spy.sh # for UDP connection - open the 111 access : iptables -I INPUT -i lo -p tcp --dport 111 -j ACCEPT iptables -I INPUT -i lo -p udp --dport 111 -j ACCEPT - then wait and check the /root/spy.txt : tail -f /root/spy.txt There is some other (better) way of doing this (by programming), but this one is the easier I can think by know... :) What the What's wrong with 'lsof -i :111' and 'lsof -i :16001'? It tells you precisely what's attempting to connect... Tom -- Tom Cook Information Technology Services, The University of Adelaide Do not meddle in the affairs of dragons, for you are crunchy, and taste good with ketchup. Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au pgpwu34bkqyG2.pgp Description: PGP signature
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Noah L. Meyerhans [EMAIL PROTECTED] wrote: On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 Nothing -- grep doesn't find a string '16001'. And this issue got covered already, I think -- port 16001 had something to do with Enlightenment's sound daemon. But, the port 111... I've removed the symlinks of portmapper for rcX.d directories with update-rc.d and stopped portmapper itself manually. Still, I get to see 'sunrpc connection attempt from localhost...' every day in iplogger.log. Yesterday, three times. This is a bit puzzling and I'm out of ideas, but I hope this behaviour doesn't compromise my system... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvXlAtEARxQQCB4RAj2SAJ96kZsuOJilED6Dk1deOgU2W5PqMQCfeuGw B1QgBTYXzfqda4600ym4UFA= =1XxG -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean Christophe ANDRÉ [EMAIL PROTECTED] wrote: Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? Yup, but what? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Nope, I haven't tuned anything concerning NIS or NFS, as I haven't had any need to do so. Although, the file nsswitch.conf exists in /etc. I think I *did* turn on the support what comes to kernel, but other than that I haven't done anything. Now I've removed portmapper from boot-up and stopped it from /etc/init.d/ manually (actually more than once :-). This is the best I can think, but still I had three entries of sunrpc connection attempts in my iplogger.log yesterday. It seems, that the file you mentioned comes along with base-files, so the removing of that package is out of the question *g*. Ah well, I'll keep my eye sharp for these connection attempts recorded by iplogger, and hope that my system's not compromised. Also, I'll try to look the one to blame by checking logs and matching the time the events happened and so on. Let's see if something turns up... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvdoAtEARxQQCB4RAlERAKDVJTJhLQp552tm34H5d1z+A3BHHgCfQm7S xZV0w99yesSp4oWF3UqHWAI= =lV9E -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. That's good to hear, thanks. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Yes, NIS is mentioned: $ grep -i nis /etc/nsswitch.conf netgroup: nis But I can't make anything out of this. I guess I'll have to read about portmapper to learn a bit about it -- at the moment, I'm completely ignorant as I haven't had the need for it or anything. Still, thanks for the help and your suggestions; the fact, that nothing listens on port 111 makes me feel a little bit better, and your sentence there's no reason to be concerned makes me feel even better. :-) Of course, a Paranoid Android should still think, that you belong to a secret group government has put up to extract information of my daily use of it... Thanks! - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvjLAtEARxQQCB4RAmdMAJ4g4EsCgsCzdKIHhnAQY/nDRVPj0ACgg7c9 LAE8Xe5ur/BrquR/PNF3T70= =9C1C -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Greetings, Yes, portmapper has something to do with NIS. If you want to stop it from running edit /etc/init.d/mountnfs.sh and comment out the line that starts it. As always, my generic advise about setting up IPTABLES applied here. Once you have set up iptables you can block what services are accessible. Regardless of whether they happen to be running. Regards, -- Excuse #156: Just type \'mv * /dev/null\'. Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
On Sat, 2002-10-26 at 22:19, Jussi Ekholm wrote: Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. That's good to hear, thanks. One way to find out what is trying to connect to the portmapper is to leave portmap running and don't firewall it for request coming from localhost. Then use rpcinfo -p to see what programs do register themselves to the portmapper. When only portmapper has registered then you'll get something like: bartjan@trillian:~$ rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper But when you have a nis/nfs system then you'll see a lot more: bartjan@trillian:~$ rpcinfo -p spiderwebs program vers proto port 102 tcp111 portmapper 102 udp111 portmapper 1000241 udp743 status 1000241 tcp753 status 132 udp 2049 nfs 133 udp 2049 nfs 1000211 udp 59043 nlockmgr 1000213 udp 59043 nlockmgr 1000214 udp 59043 nlockmgr 151 udp834 mountd 151 tcp850 mountd 152 udp834 mountd 152 tcp850 mountd 153 udp834 mountd 153 tcp850 mountd 1000111 udp870 rquotad 1000112 udp870 rquotad 1000111 tcp873 rquotad 1000112 tcp873 rquotad 142 udp948 ypserv 6001000691 udp953 141 udp948 ypserv 191 udp950 yppasswdd 6001000691 tcp955 142 tcp952 ypserv 141 tcp952 ypserv 172 udp962 ypbind 171 udp962 ypbind 172 tcp965 ypbind 171 tcp965 ypbind 5455804171 udp 1012 ugidd If you have some of the above processes running on your system, or other processes with names starting with rpc. then they are likely responsible for your port 111 connection attempts. Proper debian packages that use rpc should depend on the portmapper package, so you could try to 'apt-get -s remove portmap' and see what packages turn up. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Yes, NIS is mentioned: $ grep -i nis /etc/nsswitch.conf netgroup: nis netgroup is only useful when you have/use nis, on other systems this line is ignored. Netgroup is a nice way to group a number of hosts and/or users together. You can then use it for example to export a certain NFS filesystem to the netgroup @workstations. Just leave that line as it is now. -- Tot ziens, Bart-Jan Vrielink -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Noah L. Meyerhans [EMAIL PROTECTED] wrote: On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 Nothing -- grep doesn't find a string '16001'. And this issue got covered already, I think -- port 16001 had something to do with Enlightenment's sound daemon. But, the port 111... I've removed the symlinks of portmapper for rcX.d directories with update-rc.d and stopped portmapper itself manually. Still, I get to see 'sunrpc connection attempt from localhost...' every day in iplogger.log. Yesterday, three times. This is a bit puzzling and I'm out of ideas, but I hope this behaviour doesn't compromise my system... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvXlAtEARxQQCB4RAj2SAJ96kZsuOJilED6Dk1deOgU2W5PqMQCfeuGw B1QgBTYXzfqda4600ym4UFA= =1XxG -END PGP SIGNATURE-
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jean Christophe ANDRÉ [EMAIL PROTECTED] wrote: Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? Yup, but what? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Nope, I haven't tuned anything concerning NIS or NFS, as I haven't had any need to do so. Although, the file nsswitch.conf exists in /etc. I think I *did* turn on the support what comes to kernel, but other than that I haven't done anything. Now I've removed portmapper from boot-up and stopped it from /etc/init.d/ manually (actually more than once :-). This is the best I can think, but still I had three entries of sunrpc connection attempts in my iplogger.log yesterday. It seems, that the file you mentioned comes along with base-files, so the removing of that package is out of the question *g*. Ah well, I'll keep my eye sharp for these connection attempts recorded by iplogger, and hope that my system's not compromised. Also, I'll try to look the one to blame by checking logs and matching the time the events happened and so on. Let's see if something turns up... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvdoAtEARxQQCB4RAlERAKDVJTJhLQp552tm34H5d1z+A3BHHgCfQm7S xZV0w99yesSp4oWF3UqHWAI= =lV9E -END PGP SIGNATURE-
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf Dietsche [EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. That's good to hear, thanks. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Yes, NIS is mentioned: $ grep -i nis /etc/nsswitch.conf netgroup: nis But I can't make anything out of this. I guess I'll have to read about portmapper to learn a bit about it -- at the moment, I'm completely ignorant as I haven't had the need for it or anything. Still, thanks for the help and your suggestions; the fact, that nothing listens on port 111 makes me feel a little bit better, and your sentence there's no reason to be concerned makes me feel even better. :-) Of course, a Paranoid Android should still think, that you belong to a secret group government has put up to extract information of my daily use of it... Thanks! - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9uvjLAtEARxQQCB4RAmdMAJ4g4EsCgsCzdKIHhnAQY/nDRVPj0ACgg7c9 LAE8Xe5ur/BrquR/PNF3T70= =9C1C -END PGP SIGNATURE-
Re: port 16001 and 111
Greetings, Yes, portmapper has something to do with NIS. If you want to stop it from running edit /etc/init.d/mountnfs.sh and comment out the line that starts it. As always, my generic advise about setting up IPTABLES applied here. Once you have set up iptables you can block what services are accessible. Regardless of whether they happen to be running. Regards, -- Excuse #156: Just type \'mv * /dev/null\'. Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import XP Source Code: #include win2k.h #include extra_pretty_things_with_bugs.h #include more_bugs.h #include require_system_activation.h #include phone_home_every_so_often.h #include remote_admin_abilities_for_MS.h #include more_restrictive_EULA.h #include sell_your_soul_to_MS_EULA.h //os_ver=Windows 2000 os_ver=Windows XP
Re: port 16001 and 111
On Sat, 2002-10-26 at 22:19, Jussi Ekholm wrote: Olaf Dietsche [EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. That's good to hear, thanks. One way to find out what is trying to connect to the portmapper is to leave portmap running and don't firewall it for request coming from localhost. Then use rpcinfo -p to see what programs do register themselves to the portmapper. When only portmapper has registered then you'll get something like: [EMAIL PROTECTED]:~$ rpcinfo -p program vers proto port 102 tcp111 portmapper 102 udp111 portmapper But when you have a nis/nfs system then you'll see a lot more: [EMAIL PROTECTED]:~$ rpcinfo -p spiderwebs program vers proto port 102 tcp111 portmapper 102 udp111 portmapper 1000241 udp743 status 1000241 tcp753 status 132 udp 2049 nfs 133 udp 2049 nfs 1000211 udp 59043 nlockmgr 1000213 udp 59043 nlockmgr 1000214 udp 59043 nlockmgr 151 udp834 mountd 151 tcp850 mountd 152 udp834 mountd 152 tcp850 mountd 153 udp834 mountd 153 tcp850 mountd 1000111 udp870 rquotad 1000112 udp870 rquotad 1000111 tcp873 rquotad 1000112 tcp873 rquotad 142 udp948 ypserv 6001000691 udp953 141 udp948 ypserv 191 udp950 yppasswdd 6001000691 tcp955 142 tcp952 ypserv 141 tcp952 ypserv 172 udp962 ypbind 171 udp962 ypbind 172 tcp965 ypbind 171 tcp965 ypbind 5455804171 udp 1012 ugidd If you have some of the above processes running on your system, or other processes with names starting with rpc. then they are likely responsible for your port 111 connection attempts. Proper debian packages that use rpc should depend on the portmapper package, so you could try to 'apt-get -s remove portmap' and see what packages turn up. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Yes, NIS is mentioned: $ grep -i nis /etc/nsswitch.conf netgroup: nis netgroup is only useful when you have/use nis, on other systems this line is ignored. Netgroup is a nice way to group a number of hosts and/or users together. You can then use it for example to export a certain NFS filesystem to the netgroup @workstations. Just leave that line as it is now. -- Tot ziens, Bart-Jan Vrielink
Re: port 16001 and 111
Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Regards, J.C. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Jussi Ekholm [EMAIL PROTECTED] writes: Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Jussi Ekholm écrivait : The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... You said what would try to connect to my system's port [...] 111 from within my own system. I would answer something that is configured to do so? You may not look what binds this port since you don't run portmap but instead what is configured to try NIS, NFS, ... access! Did you tune your /etc/nsswitch.conf to try NIS? Or something else... Regards, J.C.
Re: port 16001 and 111
Jussi Ekholm [EMAIL PROTECTED] writes: Olaf Dietsche [EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... This means portmap isn't running. Connection refused means nothing listens on port 111. So, whatever is trying to contact port 111, there's no reason to be concerned. This could be valid requests from programs trying to contact NIS before DNS, however. Look at /etc/nsswitch.conf, wether NIS is mentioned. Regards, Olaf.
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Grape [EMAIL PROTECTED] wrote: 15 Oct 2002, Jussi Ekholm wrote: Still, the connection attempt from localhost to port 111 puzzles me... Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server No NFS nor NIS in this system - that's why it is so puzzling... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9ruE3AtEARxQQCB4RAgDAAKC3YrUdxQniS1FLx8ovhNROmUsA8wCbBN8V 196jnCWZOTdybM1ZKjpH1mA= =c12l -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf Dietsche olaf.dietsche#[EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9ruIMAtEARxQQCB4RArdCAKDQLiPPgaHVk5SX/ifaLJqa5OU15ACfYQvC 302SijCp/6oPSyG05rId3/Y= =F6w7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg07534/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Martin Grape [EMAIL PROTECTED] wrote: 15 Oct 2002, Jussi Ekholm wrote: Still, the connection attempt from localhost to port 111 puzzles me... Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server No NFS nor NIS in this system - that's why it is so puzzling... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9ruE3AtEARxQQCB4RAgDAAKC3YrUdxQniS1FLx8ovhNROmUsA8wCbBN8V 196jnCWZOTdybM1ZKjpH1mA= =c12l -END PGP SIGNATURE-
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Olaf Dietsche [EMAIL PROTECTED] wrote: Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Well, at least knowingly I don't use any RPC services. :-) And this is what 'rpcinfo -p' gives me: rpcinfo: can't contact portmapper: RPC: Remote system error \ - Connection refused (I split it in two lines) The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9ruIMAtEARxQQCB4RArdCAKDQLiPPgaHVk5SX/ifaLJqa5OU15ACfYQvC 302SijCp/6oPSyG05rId3/Y= =F6w7 -END PGP SIGNATURE-
Re: port 16001 and 111
On Thu, Oct 17, 2002 at 07:15:08PM +0300, Jussi Ekholm wrote: The same answer as a luser and as a root. What should I deduct from this? It's just so weird as I'm not running NFS, NIS or any other thingie that should use this port... What do you get from: netstat -ntlp | grep 16001 -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpAtGwhAEKMw.pgp Description: PGP signature
Re: port 16001 and 111
On 0, Jussi Ekholm [EMAIL PROTECTED] wrote: Hash: SHA1 Good morning (from Finland). I can't remember if I've already asked this here, but this concerns me quite a bit, so I'll ask anyway. So, 'iplogger' shows me, that there has been connection attempts to port 16001 from inside my system (127.0.0.1) from 14:02:02 to 15:02:23. During that time, there's also three sunrpc (port 111) connection attempts, again from inside my own system. Could someone possibly shed some light on this issue, because I'd so much like to know, what's this port 16001 and what the heck in my system would try to use that to the outer world. And even more I'd like to know about the connection attempts about port 111 -- maybe because I saw FBI ranking RPC services the most dangerous ones. :-) So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Good afternoon (from Australia). It's a beautiful, sunny 26 degrees here... Anyway, a google search for port 16001 tells me that port 16001 is the default port for esd, the e(nlightenment?) sound daemon. So check if you have esd running, and if there are any apps that are trying to connect to it (is your wm trying to play sounds when you click on things, or something like that?) Regards Tom -- Tom Cook Information Technology Services, The University of Adelaide If it weren't for electricity we'd all be watching television by candlelight. - George Gobol Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au msg07366/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom Cook [EMAIL PROTECTED] wrote: On 0, Jussi Ekholm [EMAIL PROTECTED] wrote: So, what would try to connect to my system's port 16001 and 111 Good afternoon (from Australia). It's a beautiful, sunny 26 degrees here... Hih, it's snowing here. :-) Anyway, a google search for port 16001 tells me that port 16001 is the default port for esd, the e(nlightenment?) sound daemon. So check if you have esd running, and if there are any apps that are trying to connect to it (is your wm trying to play sounds when you click on things, or something like that?) Ah, thanks a lot! I only tried browsing around Google Groups a bit, and bumped into my old posting about the same subject. *g* Anyway, I'm using GNOME with Enlightenment, but I'm 100% sure I've disabled the sound from this window manager. But now that I remember it, yesterday when I installed GNOME the Enable sound server startup box was checked from Sound-section of GNOME Control Center. I disabled the feature yesterday, as well, as I got around to configure my brand new desktop enviroment. :-) So, what comes to 16001, it was a false alarm. Still, the connection attempt from localhost to port 111 puzzles me... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9q8KlAtEARxQQCB4RAjWTAJ4pQIvt2PvU+bgt5ecbnHwYnsQ/DQCgkAoo pLTwLJ1xtiDHd64hY3gcnvA= =87Ks -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
15 Oct 2002, Jussi Ekholm wrote: Still, the connection attempt from localhost to port 111 puzzles me... Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- /Martin Grape Network and System Admin Trema (Europe) AB Email : [EMAIL PROTECTED]| Trema (Europe) AB Phone : +46-8-4061161 | Drottningatan 33, 1st floor GSM : +46-70-6326350| S-103 24 Stockholm, Sweden -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
El mar, 15 de oct de 2002, a las 09:47 +0200, Martin decía que: 15 Oct 2002, Jussi Ekholm wrote: Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- Fin del mensaje original -- NIS too. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 msg07371/pgp0.pgp Description: PGP signature
Re: port 16001 and 111
On Tue, 15 Oct 2002, Jussi Ekholm wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? port 16001 means that you are running gnome, and is perfectly normal. Port 111 is the portmapper, which means that there is a client connecting to an RPC based service on your computer, i.e. NIS, whatever like that. As an example, there are a few encrypted file systems which make use of NFS on localhost, like CFS and SFS. Check it out. However, by the looks of it it does not seem anything dangerous. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Hi there (from Germany), Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Regards, Olaf. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
Specifically, port 16001 is ESD (ESound) IIRC.. On Tue, 2002-10-15 at 10:55, Giacomo Mulas wrote: On Tue, 15 Oct 2002, Jussi Ekholm wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? port 16001 means that you are running gnome, and is perfectly normal. Port 111 is the portmapper, which means that there is a client connecting to an RPC based service on your computer, i.e. NIS, whatever like that. As an example, there are a few encrypted file systems which make use of NFS on localhost, like CFS and SFS. Check it out. However, by the looks of it it does not seem anything dangerous. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jussi Ekholm [EMAIL PROTECTED] wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Oh, and I forgot to mention, that the connection attempts to port 16001 all took place within one hour, and _many_ attempts fit within one second. So, there was, for example 15 attempts to port 16001 within, say, 14:55:26. And when I checked syslog, I could see, that in the same hour, minute and second there were these entries: [...] Oct 14 14:55:26 erpland gnome-name-server[18084]: starting Oct 14 14:55:26 erpland gnome-name-server[18084]: name server starting Oct 14 14:55:27 erpland gnome-name-server[18166]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x80556f0 Oct 14 14:55:28 erpland gnome-name-server[18207]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8055ab0 Oct 14 14:55:29 erpland gnome-name-server[18223]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8055cc0 Oct 14 14:56:30 erpland gnome-name-server[18388]: server_is_alive: \ cnx[IDL:GNOME /control_center:1.0] = 0x8055d90 Oct 14 14:56:54 erpland gnome-name-server[18391]: server_is_alive: \ cnx[IDL:GNOME /control_center:1.0] = 0x8055d90 Oct 14 14:58:17 erpland gnome-name-server[18422]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8056078 [...] Were these port 16001 connection attempts gnome-name-server's fault? Yeah, I installed GNOME yesterday and lots of new stuff got into my computer, but I've seen this port 16001 and sunrpc connection attempts before, too. But I take, that this is somehow related to GNOME? - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9q6l7AtEARxQQCB4RAv6QAKCVsSiPmJ9pED1cLv/UMQG4d6KYDgCgjcrB 63X3oG11MuZ9eL1yYitLaEs= =n1fj -END PGP SIGNATURE-
Re: port 16001 and 111
On 0, Jussi Ekholm [EMAIL PROTECTED] wrote: Hash: SHA1 Good morning (from Finland). I can't remember if I've already asked this here, but this concerns me quite a bit, so I'll ask anyway. So, 'iplogger' shows me, that there has been connection attempts to port 16001 from inside my system (127.0.0.1) from 14:02:02 to 15:02:23. During that time, there's also three sunrpc (port 111) connection attempts, again from inside my own system. Could someone possibly shed some light on this issue, because I'd so much like to know, what's this port 16001 and what the heck in my system would try to use that to the outer world. And even more I'd like to know about the connection attempts about port 111 -- maybe because I saw FBI ranking RPC services the most dangerous ones. :-) So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Good afternoon (from Australia). It's a beautiful, sunny 26 degrees here... Anyway, a google search for port 16001 tells me that port 16001 is the default port for esd, the e(nlightenment?) sound daemon. So check if you have esd running, and if there are any apps that are trying to connect to it (is your wm trying to play sounds when you click on things, or something like that?) Regards Tom -- Tom Cook Information Technology Services, The University of Adelaide If it weren't for electricity we'd all be watching television by candlelight. - George Gobol Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au pgpHuOVpRhRwk.pgp Description: PGP signature
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tom Cook [EMAIL PROTECTED] wrote: On 0, Jussi Ekholm [EMAIL PROTECTED] wrote: So, what would try to connect to my system's port 16001 and 111 Good afternoon (from Australia). It's a beautiful, sunny 26 degrees here... Hih, it's snowing here. :-) Anyway, a google search for port 16001 tells me that port 16001 is the default port for esd, the e(nlightenment?) sound daemon. So check if you have esd running, and if there are any apps that are trying to connect to it (is your wm trying to play sounds when you click on things, or something like that?) Ah, thanks a lot! I only tried browsing around Google Groups a bit, and bumped into my old posting about the same subject. *g* Anyway, I'm using GNOME with Enlightenment, but I'm 100% sure I've disabled the sound from this window manager. But now that I remember it, yesterday when I installed GNOME the Enable sound server startup box was checked from Sound-section of GNOME Control Center. I disabled the feature yesterday, as well, as I got around to configure my brand new desktop enviroment. :-) So, what comes to 16001, it was a false alarm. Still, the connection attempt from localhost to port 111 puzzles me... - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9q8KlAtEARxQQCB4RAjWTAJ4pQIvt2PvU+bgt5ecbnHwYnsQ/DQCgkAoo pLTwLJ1xtiDHd64hY3gcnvA= =87Ks -END PGP SIGNATURE-
Re: port 16001 and 111
15 Oct 2002, Jussi Ekholm wrote: Still, the connection attempt from localhost to port 111 puzzles me... Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- /Martin Grape Network and System Admin Trema (Europe) AB Email : [EMAIL PROTECTED]| Trema (Europe) AB Phone : +46-8-4061161 | Drottningatan 33, 1st floor GSM : +46-70-6326350| S-103 24 Stockholm, Sweden
Re: port 16001 and 111
El mar, 15 de oct de 2002, a las 09:47 +0200, Martin decía que: 15 Oct 2002, Jussi Ekholm wrote: Of the top of my head: Do you have any nfs services running on the machine? I seem to remember sunrpc beeing used by the nfs-server ... -- Fin del mensaje original -- NIS too. -- Alberto Cortés Martín | Ing. en Telecomunicación email: [EMAIL PROTECTED] | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242 pgpZBporKEe7G.pgp Description: PGP signature
Re: port 16001 and 111
On Tue, 15 Oct 2002, Jussi Ekholm wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? port 16001 means that you are running gnome, and is perfectly normal. Port 111 is the portmapper, which means that there is a client connecting to an RPC based service on your computer, i.e. NIS, whatever like that. As an example, there are a few encrypted file systems which make use of NFS on localhost, like CFS and SFS. Check it out. However, by the looks of it it does not seem anything dangerous. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: port 16001 and 111
Hi there (from Germany), Jussi Ekholm [EMAIL PROTECTED] writes: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Port 111 is used by portmap. If you don't use RPC services, you can stop it. I don't use it on my desktop machine. Try rpcinfo -p to see, wether there's anything running on your computer. Regards, Olaf.
Re: port 16001 and 111
Specifically, port 16001 is ESD (ESound) IIRC.. On Tue, 2002-10-15 at 10:55, Giacomo Mulas wrote: On Tue, 15 Oct 2002, Jussi Ekholm wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? port 16001 means that you are running gnome, and is perfectly normal. Port 111 is the portmapper, which means that there is a client connecting to an RPC based service on your computer, i.e. NIS, whatever like that. As an example, there are a few encrypted file systems which make use of NFS on localhost, like CFS and SFS. Check it out. However, by the looks of it it does not seem anything dangerous. Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: port 16001 and 111
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jussi Ekholm [EMAIL PROTECTED] wrote: So, what would try to connect to my system's port 16001 and 111 from within my own system? Should I be concerned? Should I expect the worst? Any insight on this issue would calm me down... Oh, and I forgot to mention, that the connection attempts to port 16001 all took place within one hour, and _many_ attempts fit within one second. So, there was, for example 15 attempts to port 16001 within, say, 14:55:26. And when I checked syslog, I could see, that in the same hour, minute and second there were these entries: [...] Oct 14 14:55:26 erpland gnome-name-server[18084]: starting Oct 14 14:55:26 erpland gnome-name-server[18084]: name server starting Oct 14 14:55:27 erpland gnome-name-server[18166]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x80556f0 Oct 14 14:55:28 erpland gnome-name-server[18207]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8055ab0 Oct 14 14:55:29 erpland gnome-name-server[18223]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8055cc0 Oct 14 14:56:30 erpland gnome-name-server[18388]: server_is_alive: \ cnx[IDL:GNOME /control_center:1.0] = 0x8055d90 Oct 14 14:56:54 erpland gnome-name-server[18391]: server_is_alive: \ cnx[IDL:GNOME /control_center:1.0] = 0x8055d90 Oct 14 14:58:17 erpland gnome-name-server[18422]: server_is_alive: \ cnx[IDL:GNOME /Panel2:1.0] = 0x8056078 [...] Were these port 16001 connection attempts gnome-name-server's fault? Yeah, I installed GNOME yesterday and lots of new stuff got into my computer, but I've seen this port 16001 and sunrpc connection attempts before, too. But I take, that this is somehow related to GNOME? - -- Jussi Ekholm [EMAIL PROTECTED] | http://erppimaa.ihku.org/ | 0x1410081E -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9q6l7AtEARxQQCB4RAv6QAKCVsSiPmJ9pED1cLv/UMQG4d6KYDgCgjcrB 63X3oG11MuZ9eL1yYitLaEs= =n1fj -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
