Re: /bin/login listening?

Sat, 28 Jul 2007 15:02:19 -0700 

On Sat, 28 Jul 2007, Tyler Smith wrote:


On 2007-07-28, Jeff D <[EMAIL PROTECTED]> wrote:

[16:37:43] Warning! Process /bin/login (3888) listening


Normally /bin/login shouldn't be listening. A couple things you could do
to see if it is listneing is:
lsof -i -n  | grep LISTEN


Here's what I got - no sign of /bin/login:

lsof -i -n | grep LISTEN
portmap    2578      daemon    4u  IPv4   6938       TCP *:sunrpc (LISTEN)
rpc.statd  2603       statd    8u  IPv4   7009       TCP *:37381 (LISTEN)
sshd       3026        root    3u  IPv6   7668       TCP *:ssh (LISTEN)
exim4      3385 Debian-exim    3u  IPv4   7971       TCP 127.0.0.1:smtp (LISTEN)
inetd      3661        root    4u  IPv4   8254       TCP *:auth (LISTEN)
famd       3721       tyler    3u  IPv4   8323       TCP 127.0.0.1:929 (LISTEN)
apache     3826        root   16u  IPv4   9177       TCP *:www (LISTEN)
apache     3827    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache     3828    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache     3829    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache     3830    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache     3839    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache    21000    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache    21001    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
apache    21002    www-data   16u  IPv4   9177       TCP *:www (LISTEN)
identd    21568      identd    0u  IPv4   8254       TCP *:auth (LISTEN)
identd    21568      identd    1u  IPv4   8254       TCP *:auth (LISTEN)
identd    21568      identd    2u  IPv4   8254       TCP *:auth (LISTEN)


if it is listening, it should show up there. providing lsof hasnt been
comprimised.
if you have another machine available to you, run an nmap scan on it
like so:
nmap -sV hostname


I don't have another maching available. What do you think?

Cheers,

Tyler



you could also try something like this:

lsof -n -p `pidof login | sed s/\ /\,/g` or lsof -n -p 3888 ( since that 
is the process id that rkhunter is reporting listening)



do you have nmap installed on the local machine? you could run a nmap -sV 
localhost against it and it should report back with something as well.



you can also install the debsums package, it will do a md5sum check 
against installed packages.



also, what version of debian are you running?  Is this machine behind a 
firewall or do you have a firewall running on it?  You may also


Jeff

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--

To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
























					Reply via email to