Stephen Gran wrote:- > Sorry, bad form to have to reply rather than include the info in th > original message, but hindsight and all that. A few things I have > done to try to see if t0rn is in fact present: > lsof|grep LISTEN: > portmap 273 root 4u IPv4 303 TCP *:sunrpc > (LISTEN) > rpc.statd 277 root 5u IPv4 418 TCP *:32768 > (LISTEN) > inetd 286 root 6u IPv4 424 TCP *:smtp > (LISTEN) > inetd 286 root 7u IPv4 425 TCP *:auth > (LISTEN) > cupsd 289 root 0u IPv4 692 TCP *:ipp > (LISTEN) > sshd 306 root 3u IPv4 566 TCP *:ssh > (LISTEN) > Sorry about the bad wrap ; ) > > and lsof|grep -i t0rn: > No results. > > nmap localhost: > Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) > Interesting ports on localhost (127.0.0.1): > (The 1544 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 25/tcp open smtp > 111/tcp open sunrpc > 113/tcp open auth > 631/tcp open cups
But what about to external hosts? Are they open or closed by your firewall? I'd be particularly concerned about sunrps and cups, and only allow access to and from specific IP addresses. If they are visible externally, you should investigate further. If you don't already, I'd suggest you run one of those scripts that filters and mails your logs to you every 1 hour or so. Reducing the background noise from legitimate stuff is the most tedious thing there though. For my machine I have: Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on localhost (127.0.0.1): (The 1540 ports scanned but not shown below are in state: closed) Port State Service 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 110/tcp open pop-3 139/tcp open netbios-ssn 631/tcp open cups 2401/tcp open cvspserver 22273/tcp open wnn6 but only SSH and SMTP are visible outside my LAN (as verified by various firewall testing web sites). Neil.
