Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: process identification

From: Ivan Andres Hernandez Puga <ivan.hernandez () globalsis com ar>
Date: Tue, 04 May 2004 13:16:53 -0300
I see a lot of services there. I supose that you use SSH to configure your server. but... you can surely shut down de portmapper, and also the rpc, xinetd, and you really wanna the webmin interface on all day? think about what services you really need. Also you can tell X Window System not to listen on a TCP port... there is a lot to do! 

Ivan

Stijn De Weirdt wrote:
i'm sorry, but i can't find the bad one. i've compared (and included) both the lsof and netstat results, and still nothing: 


lsof | grep LIST:

COMMAND     PID     USER   FD   TYPE     DEVICE     SIZE       NODE NAME
portmap 841 rpc 4u IPv4 3028 TCP *:sunrpc (LISTEN) rpc.statd 914 rpcuser 6u IPv4 3130 TCP *:1024 (LISTEN) X 1130 root 1u IPv4 3374 TCP *:x11 (LISTEN) sshd 1208 root 3u IPv4 3490 TCP *:ssh (LISTEN) xinetd 1233 root 5u IPv4 5659 TCP localhost.localdomain:1056 (LISTEN) cupsd 1267 root 0u IPv4 3653 TCP *:ipp (LISTEN) master 1620 root 11u IPv4 3928 TCP *:smtp (LISTEN) miniserv. 1953 root 4u IPv4 4301 TCP *:10000 (LISTEN) sshd 26573 stdweird 9u IPv4 797219 TCP localhost.localdomain:x11-ssh-offset (LISTEN) 

nestat -tavp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost.localdom:1056 *:* LISTEN 1233/xinetd tcp 0 0 *:1024 *:* LISTEN 914/rpc.statd tcp 0 0 *:sunrpc *:* LISTEN 841/portmap tcp 0 0 *:10000 *:* LISTEN 1953/perl tcp 0 0 *:x11 *:* LISTEN 1130/X tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN - tcp 0 0 *:ssh *:* LISTEN 1208/sshd tcp 0 0 *:ipp *:* LISTEN 1267/cupsd tcp 0 0 *:smtp *:* LISTEN 1620/master tcp 0 0 localhos:x11-ssh-offset *:* LISTEN 26573/sshd tcp 0 0 xxx.xxx.xxx:ssh yyy.yyy.yyy:2497 ESTABLISHED 26571/sshd 

stijn


The lsof program shows all that process and the open ports/files
lsof |grep LIST
will do the work
Stijn De Weirdt wrote:
hello, i have a computer that has been (succesfully :( ) attacked, and i'm currently checking how 'they' did it. the computer has an open port with a listening ftp-server, but there is no matching PID with netstat. so here's the question: how do i get the process-id? 

some data:
the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)
'netstat -vapt' output: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN - 

(denote the last -)

nmap -p 81 (from another machine) gives
Port       State       Service
81/tcp     filtered    hosts2-ns

but telnet from the same machine gives (partly)
220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.

the ftp-server seems very highly modified, meaning that
1. there isn't supposed to run one on that computer (but there is one installed) 
2. doesn't recognise any commands like cd, ls, get,put, login...
currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it in a few days, but any advice on how to look for the server process is handy. i have root access to the machine, so that's no problem. 

many thanks
stijn

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: