Yes, but stopping samba doesn't seem to close port 1025. It looks, from further investigation, like it's attempts (probably failed) to mount directories via nfs, which I don't like but am not terribly worried about:
nujoma:/var/log# lsof -i TCP:1025 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME rpc.mount 671 root 4u IPv4 2750 TCP *:1025 (LISTEN) rpc.mount 671 root 6u IPv4 13940 TCP (me, external interface):1025->user-24-214-178-146.knology.net:3821 (ESTABLISHED) rpc.mount 671 root 7u IPv4 17011 TCP (me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742 (ESTABLISHED)
---------------------------------------------------------------------- Andrew J Perrin - http://www.unc.edu/~aperrin Assistant Professor of Sociology, U of North Carolina, Chapel Hill [EMAIL PROTECTED] * andrew_perrin (at) unc.edu
You're probably getting attacked with a remanant of the Sasser worm. It attaches to port 1025/tcp and attempts to execute code.
Jeff -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
