Re: Port 37628....Is it just another port or out of the extra ordinary???

[InHisGrip <servie_platon () yahoo com>]

Hi Bruce,

Thank you so much on your suggestions.

Incidentally, I am also contemplating on compiling and
building my own kernel this way, I could select which
options and services that I would need? What do you
think?

All of you guys are just awesome! You have given me
lots of ideas and I have learned a lot. Thanks again
everyone in this group!

InHisGrip,
Servie

--- Bruce Smith <bruce_the_loon () worldonline co za>
wrote:
> Hi Servie
>
> There's a tool called lsof on most linux systems, if
> it's not installed by
> default it'll be on the CD's,
> that can show which processes have the port open. I
> think the exact syntax
> is lsof -i
>
> That should be able to tell you what has opened the
> port and from there you
> should be able to
> see if it's a trojan or not. Feel free to send me
> the output of this if you
> need a hand.
>
> Regards
>
> Bruce Smith
>
>
> ----- Original Message ----- 
> From: "InHisGrip" <servie_platon () yahoo com>
> To: "firewall-wizards"
> <firewall-wizards () honor icsalabs com>
> Sent: Thursday, July 22, 2004 1:52 AM
> Subject: [fw-wiz] Port 37628....Is it just another
> port or out of the extra
> ordinary???
>
>
> > Hi everyone,
> >
> > I have setup an apache web server in my small home
> > network and have configured this web server by
> > enabling port forwarding for web requests and
> > redirection using a non standard port other than
> port
> > 80. I have also used my dns registrar/provider in
> > particular dyndns.org to do the job of custom dns
> and
> > redirecting web traffic on my host
> > machine.
> >
> > My question is related to security/firewall and in
> > particular with linux ports being compromised.
> Based
> > from the information below, can anyone please let
> me
> > know if the information I have attached based on
> open
> > ports or listening ports on the output will
> somehow
> > compromise my small home network or the linux web
> > server box I have just set up?
> >
> > Oh, by the way, just wanted to make sure because I
> > have  placed the web server in a DMZ port and zone
> > from my linksys router and I think but not sure
> that
> > I am being shielded and protected atleast?
> Likewise, I
> > have enabled advanced firewall protection on my
> > linksys router. Am I just paranoid, or is there
> > something to get alarmed especially on port 37628
> > which has a LISTEN state on all interfaces or on
> the
> > Internet?
> >
> > Here is a copy of my netstat -an output:
> >
> > Active Internet connections (servers and
> established)
> > Proto Recv-Q Send-Q Local Address          
> Foreign
> > Address         State
> > tcp        0      0 0.0.0.0:32768          
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 127.0.0.1:32769        
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 127.0.0.1:783          
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 0.0.0.0:111            
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 0.0.0.0:22             
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 127.0.0.1:25           
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 0.0.0.0:8090           
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 0.0.0.0:443            
> 0.0.0.0:*
> >              LISTEN
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4061     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4060     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4063     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4059     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4073     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4072     TIME_WAIT
> > tcp        0      0 192.168.1.77:8090
> > 203.218.54.165:4074     TIME_WAIT
> > udp        0      0 0.0.0.0:32768          
> 0.0.0.0:*
> > udp        0      0 0.0.0.0:750            
> 0.0.0.0:*
> > udp        0      0 0.0.0.0:111            
> 0.0.0.0:*
> > Active UNIX domain sockets (servers and
> established)
> > Proto RefCnt Flags       Type       State
> > I-Node Path
> > unix  10     [ ]         DGRAM                   
> 900
> >   /dev/log
> > unix  2      [ ]         DGRAM                   
> 1464
> > unix  2      [ ]         DGRAM                   
> 1402
> > unix  2      [ ]         DGRAM                   
> 1384
> > unix  2      [ ]         DGRAM                   
> 1370
> > unix  2      [ ]         DGRAM                   
> 1324
> > unix  2      [ ]         DGRAM                   
> 1050
> > unix  2      [ ]         DGRAM                   
> 966
> > unix  2      [ ]         DGRAM                   
> 908
> > I am asking this question because the URL below
> > mentioned about a trojan on his system and this
> could
> > also be happening to mine. Is this a security
> threat
> > both on UDP and TCP ports 32768 among others?
http://www.linuxquestions.org/questions/archive/4/2002/01/2/11641
> > Any tips or thoughts on how to eliminate this
> threat
> > would be highly appreciated. Thanks in advance.
> >
> > Regards,
> > Servie
> >
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other
> providers!
> > http://promotions.yahoo.com/new_mail
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>



        
                
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards