Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: I just noticed that [something]. Has my machine been compromised? Next Document: Here's new, unbreakable encryption software. See reader questions & answers on this topic! - Help others by sharing your knowledge RFC 1700 is obsolete. The standard current reference is http://www.iana.org/assignments/port-numbers However, you can write a program which uses any port number, whether it has a standard meaning or not; and similarly you can write a program which uses a port number in a way contrary to its standard meaning. If you notice an attempted connection to a weird port number on your machine, the connection might have been meant for some other machine running an idiosyncratic service (perhaps someone typoed the IP address or hostname), it might be a probe for a widely-spread trojan horse program, it might be part of some kind of portscan, or plenty of other possibilities. Some notes about what a particular port access might mean in practical terms (as opposed to the intended purpose of that port number assignment) can be found at http://www.robertgraham.com/pubs/firewall-seen.html And a list of some non-standard ports used by various strange programs is at http://www.chebucto.ns.ca/~rakerman/port-table.html If you notice your machine listening on an unexpected port, you may have been broken into, or it may be a "feature" of your OS distribution or some third-party software you're running. In unix, most ports your OS distribution will use will be listed in /etc/services, along with MANY you don't use. /etc/inetd.conf lists services whose daemons are started on demand by inetd, the internet "super-server" (see the man page). (/etc/inetd.conf entries cause services to be offered; /etc/services entries basically just map names to and from numbers.) In different ways depending on OS version, /etc/rc* specifies some standalone daemons to be started up on boot (or initlevel change); see man pages (including man init). These are conventional ways to start services but any program can listen on a port (unprivileged processes can only listen on port numbers >=1024 in most multiuser OSes). Some port numbers are not fixed. There are several possibilities here, but in unix these most notably include port numbers bearing services registered under the "portmapper", which listens on port 111. Type "rpcinfo -p hostname" for a list of services for which the portmapper is serving as a directory. (Some of these port numbers may in fact be fixed, in which case client programs have two different ways to find the port number (hardcode the port number or use the portmapper).) To see what listeners you have running (open ports), the canonical incantation is "netstat -an". But doing a portscan from a remote machine might be more reliable if you suspect your machine has been compromised, because the netstat program could have been replaced. (But do keep in mind the tricky "malware" technique of only accepting connections with certain *source* port numbers.) To find out what process is doing the listening, try something like lsof. Again, once your machine has been compromised, this might report the wrong answer; the purpose of using lsof would be to investigate the normal behaviour of your machine, not to check whether it's been compromised. User Contributions:Top Document: comp.security.unix and comp.security.misc frequently asked questions Previous Document: I just noticed that [something]. Has my machine been compromised? Next Document: Here's new, unbreakable encryption software. Single Page [ Usenet FAQs | Web FAQs | Documents | RFC Index ] Send corrections/additions to the FAQ Maintainer: flaps@dgp.toronto.edu (Alan J Rosenthal)
Last Update March 27 2014 @ 02:11 PM
|
Comment about this article, ask questions, or add new information about this topic: