[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Any danger from these ports?

If you have setup sudo :

sudo netstat -lpn --inet

If you have not, then as root :

netstat -lpn --inet

This will show all listening "ip" ports and the program 
that has opened them.

Proto Recv-Q Send-Q LocalAddress ForeignAddress State PID/Program name
tcp 0 0* LISTEN 2361/mDNSResponder

mDNSResponder is part of HAL.

Happy Hunting.

On Sat, 2005-08-01 at 22:38 +0000, Paul wrote:
> Hi,
> I've just had a strange email from a friend who seems to have had an
> email from an unsavoury character which I sent to a closed list on 20th
> Dec.
> I've checked my box for r00tkits (none found) and open ports and have
> found 1539 and 5335 open. A web search hasn't revealed very much on
> these and they seem innocent enough (well, 5335 has been used for a
> virus before now...)
> There are few things in my logs which are suspicious...
> First are a couple like this
> Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
> from ::ffff:
> Jan  1 22:18:36 T7 sshd[31409]: Address maps to prox.wares-
> consulting.com, but this does not map back to the address - POSSIBLE
> I seem to be subjected to a dictionary attack.
> I get users named guest, admin, test, patrick, rolo, iceuser, horde,
> cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc,
> webmaster, user and no username etc.
> Most of the attacks come from three IP addresses (,
> and using various ports to get through via
> ssh2. None have gotten through.
> Should I be overly worried? I've closed ssh on my router, so that's one
> line of defence in the way :-)
> Paul
> -- 
> fedora-test-list mailing list
> fedora-test-list redhat com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-test-list
Guy Fraser
Network Administrator
The Internet Centre

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]