nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Catalyst 4500 listening on TCP 6154 on all interfaces

From: "Curtis, Bruce" <bruce.curtis () ndsu edu>
Date: Mon, 7 May 2018 16:24:47 +0000
Some Cisco devices use 6154 for ypxfrd.


6154 ypxfrd Portmap Request (Info, Atomic*)

Triggers when a request is made to the portmapper for the YP transfer daemon (ypxfrd) port.



https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfids.html

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/protect_tools.html





On May 5, 2018, at 6:22 AM, marcel.duregards--- via NANOG <nanog () nanog org<mailto:nanog () nanog org>> wrote:

As the zero touch feature is on TCP 4786 (SMI), I vote for either:

- a nsa backdoor :-)
- a default active service

Have you tried to zeroize the config and restart then check if TCP 6154
is still on LISTEN state ?


-
Marcel



On 03.05.2018 06:51, frederic.jutzet () sig-telecom net<mailto:frederic.jutzet () sig-telecom net> wrote:
Hi,

We have Cat 4500 series on SUP7L-E with IOS/XE 03.06.02.E/152(2).E2
which have TCP port 6154 listening on all interfaces.

Any idea what it could be ?

#show tcp brief all
TCB       Local Address               Foreign Address             (state)
...
5A529430  0.0.0.0.6154        <<<<<<<<<<<<<<<<


#show tcp tcb 5A529430
Connection state is LISTEN, I/O status: 1, unread input bytes: 0
Connection is ECN Disabled, Mininum incoming TTL 0, Outgoing TTL 255
Local host: 0.0.0.0, Local port: 6154
Foreign host: UNKNOWN, Foreign port: 0
Connection tableid (VRF): 1
Maximum output segment queue size: 50

Enqueued packets for retransmit: 0, input: 0  mis-ordered: 0 (0 bytes)

Event Timers (current time is 0xF58354):
Timer          Starts    Wakeups            Next
Retrans             0          0             0x0
TimeWait            0          0             0x0
AckHold             0          0             0x0
SendWnd             0          0             0x0
KeepAlive           0          0             0x0
GiveUp              0          0             0x0
PmtuAger            0          0             0x0
DeadWait            0          0             0x0
Linger              0          0             0x0
ProcessQ            0          0             0x0

iss:          0  snduna:          0  sndnxt:          0
irs:          0  rcvnxt:          0

sndwnd:      0  scale:      0  maxrcvwnd:   4128
rcvwnd:   4128  scale:      0  delrcvwnd:      0

SRTT: 0 ms, RTTO: 2000 ms, RTV: 2000 ms, KRTT: 0 ms
minRTT: 60000 ms, maxRTT: 0 ms, ACK hold: 200 ms
uptime: 0 ms, Sent idletime: 0 ms, Receive idletime: 0 ms
Status Flags: gen tcbs
Option Flags: VRF id set, keepalive running, nagle, Reuse local address
 Retrans timeout
IP Precedence value : 0

Datagrams (max data segment is 516 bytes):
Rcvd: 0 (out of order: 0), with data: 0, total data bytes: 0
Sent: 0 (retransmit: 0, fastretransmit: 0, partialack: 0, Second
Congestion: 0), with data: 0, total data bytes: 0

Packets received in fast path: 0, fast processed: 0, slow path: 0
fast lock acquisition failures: 0, slow path: 0
TCP Semaphore      0x5BEB9B10  FREE





(The command "show control-plane host open-ports" is not available on
this platform/code)



I also think that if it would be a local socket for internal process
communication, it would be 127.0.0.1:6154 instead of 0.0.0.0:6154.
So this is listening on all interfaces, virtuals and physicals and seam
not to be for internal internal process communication.


Fred


---
Bruce Curtis                         bruce.curtis () ndsu edu<mailto:bruce.curtis () ndsu edu>
Certified NetAnalyst II                701-231-8527
North Dakota State University
Previous By Date Next
Previous By Thread Next

Current thread: