OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: port 511. help needed.
From: Waldchen, Erick (VIPTechSprt) (ewaldchenGLOBALCOMPUTER.COM)
Date: Wed Oct 25 2000 - 08:07:12 CDT


FWIW, I've found the Port Search tool on the Snort webpage to be quite
helpful when I'm not sure (ie forget) what a certain port is for. In this
case, port 511 doesn't look too good...
http://www.snort.org/Database/portsearch.asp

Erick

> -----Original Message-----
> From: Nazri Hussain [mailto:nazrihMIMOS.MY]
> Sent: Tuesday, October 24, 2000 9:14 PM
> To: FOCUS-LINUXSECURITYFOCUS.COM
> Subject: port 511. help needed.
>
>
> hi everybody,
>
> recently, I've port scanned (using nmap) my own server and
> found that port
> 511 is open for connection. i was wondering what is port 511 used for
> ? can i close it and how ?
>
> here are my details :
>
> 1. scan port using nmap
> --------------------------------------------------
> [rootpenguin /root]# nmap -sS -v mydomain.com
>
> Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
> Host (www.xxx.yyy.zzz) appears to be up ... good.
> Initiating SYN Stealth Scan against (www.xxx.yyy.zzz)
> Adding TCP port 3306 (state open).
> Adding TCP port 80 (state open).
> Adding TCP port 511 (state open).
> Adding TCP port 22 (state open).
> The SYN Stealth Scan took 1 second to scan 1534 ports.
> Interesting ports on (www.xxx.yyy.zzz):
> (The 1526 ports scanned but not shown below are in state: closed)
> Port State Service
> 22/tcp open ssh
> 80/tcp open http
> 511/tcp open passgo
> 3306/tcp open mysql
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
>
> --------------------------------------------------
>
>
> 2. netstat -a
> --------------------------------------------------
> [rootmydomain /]# netstat -a | less
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 *:511 *:*
> LISTEN
> tcp 0 0 *:www *:*
> LISTEN
> tcp 0 0 *:mysql *:*
> LISTEN
> tcp 0 0 *:ssh *:*
> LISTEN
> tcp 0 20 mydomain.com:ssh
> bpp82.domain.com:1035 ESTABLISHED
> raw 0 0 *:6 *:*
> raw 0 0 *:1 *:*
> --------------------------------------------------
>
>
> 3. lsof
> --------------------------------------------------
> [rootmydomain /]# lsof | less
> COMMAND PID USER FD TYPE DEVICE SIZE
> NODE NAME
> in.inetd 139 root cwd DIR 8,17 4096 2 /
> in.inetd 139 root rtd DIR 8,17 4096 2 /
> in.inetd 139 root txt REG 8,6 282116
> 51251 /usr/sbin/in.inetd
> in.inetd 139 root 0u CHR 5,1
> 208869 /dev/console
> in.inetd 139 root 1u CHR 5,1
> 208869 /dev/console
> in.inetd 139 root 2u CHR 5,1
> 208869 /dev/console
> in.inetd 139 root 3r FIFO 0,0
> 6 pipe
> in.inetd 139 root 4w FIFO 0,0
> 6 pipe
> in.inetd 139 root 5r FIFO 0,0
> 7 pipe
> in.inetd 139 root 6w FIFO 0,0
> 7 pipe
> in.inetd 139 root 7u IPv4 153
> TCP *:511 (LISTEN)
> in.inetd 139 root 21w FIFO 0,0
> 8 pipe
> --------------------------------------------------
>
> I've also checked the "/etc/inetd.conf" file, but nothing
> mentioned about
> "passgo" service.
>
> please help.
> thanks in advance.
>
> bye.
>
> -------------
> Nazri Hussain
>