You can use "rpcinfo -p" to determine which rpc process is using that port. I think that one is usually ruserd. Toby > Dear friend. > > Recently one of my server attack by a person, he make a direstory in my > /dev/ida/ path with .sys/aw name, I see open ports in my machine by nmap > command and I see: > > Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) > Interesting ports on cisgate.iut.ac.ir (213.29.206.17): > (The 1531 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 111/tcp open sunrpc > 443/tcp open https > 515/tcp open printer > 993/tcp open imaps > 995/tcp open pop3s > 3128/tcp open squid-http > 6000/tcp open X11 > 32774/tcp open sometimes-rpc11 > > I don't know anything about sometimes-rpc11 port, and I don't know about > this, How I can close this port, and what I must do for keep my server > from attacking??? > And I want know how he attack my server. > Ps. My OS is linux redhat 7.2 > By regards khademi > > -- > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > Soheila Khademi > e-mail: khademy@yahoo.com > soheila@maniac.sdc.uwo.ca > Network Admin khademi@cc.iut.ac.ir > Network Services > Center For Information Services (CIS) http://www.iut.ac.ir > Isfahan University of Technology (IUT) Tel: 98 311 3915840-1,45 > Isfahan, IRAN Fax: 98 311 3915805 > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
