[TriLUG] possible intruder - advice?

Andrew Perrin clists at perrin.socsci.unc.edu
Mon May 24 10:41:07 EDT 2004 

Yes, but stopping samba doesn't seem to close port 1025.  It looks, from
further investigation, like it's attempts (probably failed) to mount
directories via nfs, which I don't like but am not terribly worried about:

nujoma:/var/log# lsof -i TCP:1025
COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
rpc.mount 671 root    4u  IPv4   2750       TCP *:1025 (LISTEN)
rpc.mount 671 root    6u  IPv4  13940       TCP
(me, external interface):1025->user-24-214-178-146.knology.net:3821
(ESTABLISHED)
rpc.mount 671 root    7u  IPv4  17011       TCP
(me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742
(ESTABLISHED)


----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Mon, 24 May 2004, Marty Ferguson wrote:

> Google "port 1025"
>
> TCP Port 1025. Common Use. Microsoft Remote Procedure Call (RPC)
> www.linklogger.com/TCP1025.htm
>
> Are you running Samba?
>
> M
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf Of Andrew Perrin
> Sent: Monday, May 24, 2004 9:26 AM
> To: trilug at trilug.org
> Subject: [TriLUG] possible intruder - advice?
>
>
> I"m showing someone attached to my home machine's port 1025. This is,
> needless to say, not something I like.  fuser 1025/tcp and fuser 1025/udp
> show nothing. 1025 isn't listed in /etc/services. What else should I look
> at?
>
> ap
>
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list