You can use lsof to determine what application is openeing a port, just pipe the output of lsof to a grep for the port you;re looking for. If you're suspicious of an application being compromised such as xinetd you can verify the checksum with the rpm command "#rpm -V xinetd", keep in mind that a good hacker can modify the rpm checksum file though, but it's an easy preliminary check if you're suspicious and should alert you if you've been hit by a script kiddie. Dominic Rivera (503) 947-7308 dominic.rivera@xxxxxxxxxxx >>> bfranck@xxxxxxxxxxxxxxxxx 10/29/03 01:18PM >>> Steve, Thanks for your reply, but I have a question. SGI_FAM is started through xinetd, yes, but the file indicates that it's a TCP protocol....my open port is UDP. Are you sure we're talking aobut the same animal?? Brett ----- Original Message ----- From: "Rigler, Steve" <SRigler@xxxxxxxxxxxxxxx> To: <redhat-list@xxxxxxxxxx> Sent: Wednesday, October 29, 2003 2:52 PM Subject: RE: Weird Ports Showing for XINETD > There was a thread about this a while back. The culprit > was sgi_fam. The general consensus seemed to be to leave > it running. > > -Steve > > > -----Original Message----- > > From: redhat-list-admin@xxxxxxxxxx > > [mailto:redhat-list-admin@xxxxxxxxxx]On Behalf Of Brett Franck > > Sent: Wednesday, October 29, 2003 2:18 PM > > To: redhat-list@xxxxxxxxxx > > Subject: Weird Ports Showing for XINETD > > > > > > REPOST Without HTML junk......sry bout the HTML > > postings.......maybe someone > > has an answer to my ques? > > > > > > > > > > > > > > Okay since I last wrote about messing up my server with a Chroot jail, > > things have definately changed. > > > > I installed RH9 and put it on an IBM Netvista 866 w/384Mg Ram > > /proc/kcore > > shows 401477632 Oct 28 11:53 /proc/kcore..... Vs RH8.0 on a junker 450 > > w/320Mg Ram > > > > All is running well but I do have one question.....maybe it > > was this way in > > RH 8.0, I never noticed, but I'm pretty sure I would have > > noticed an open > > errant port not assigned to anything. > > > > netstat -taup shows a UDP port open by XINETD (BY the way, > > I"m not running > > anything with xinetd).......I first noticed it because the > > CHKROOTKIT bawled > > out an alert when the XINETD port was running on 1008 ... now it's on > > 923....has been on 979.....etc.....moves when I restart > > Xinetd.....is this > > the result of running xinetd as xinetd -stayalive -pidfile > > /var/run/xinetd.pid > > thus keeping a UDP port open to support the PID????? > > > > Brett > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > > https://www.redhat.com/mailman/listinfo/redhat-list > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
