Any danger from these ports?

[Guy Fraser]

If you have setup sudo :

sudo netstat -lpn --inet

If you have not, then as root :

netstat -lpn --inet

This will show all listening "ip" ports and the program 
that has opened them.

Example:
Proto Recv-Q Send-Q LocalAddress ForeignAddress State PID/Program name
...
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 2361/mDNSResponder
...

mDNSResponder is part of HAL.

Happy Hunting.

On Sat, 2005-08-01 at 22:38 +0000, Paul wrote:
> Hi,
> 
> I've just had a strange email from a friend who seems to have had an
> email from an unsavoury character which I sent to a closed list on 20th
> Dec.
> 
> I've checked my box for r00tkits (none found) and open ports and have
> found 1539 and 5335 open. A web search hasn't revealed very much on
> these and they seem innocent enough (well, 5335 has been used for a
> virus before now...)
> 
> There are few things in my logs which are suspicious...
> 
> First are a couple like this
> 
> Jan  1 22:18:35 T7 sshd[31409]: Invalid user test
> from ::ffff:70.56.41.21
> Jan  1 22:18:36 T7 sshd[31409]: Address 70.56.41.21 maps to prox.wares-
> consulting.com, but this does not map back to the address - POSSIBLE
> BREAKIN ATTEMPT!
> 
> I seem to be subjected to a dictionary attack.
> 
> I get users named guest, admin, test, patrick, rolo, iceuser, horde,
> cyrus, www, wwwrun, matt, jane, pamela, cosmin, cip52, cip51, noc,
> webmaster, user and no username etc.
> 
> Most of the attacks come from three IP addresses (83.235.214.145,
> 66.78.52.253 and 216.180.243.178) using various ports to get through via
> ssh2. None have gotten through.
> 
> Should I be overly worried? I've closed ssh on my router, so that's one
> line of defence in the way :-)
> 
> TTFN
> 
> Paul
> -- 
> fedora-test-list mailing list
> fedora-test-list at redhat.com
> To unsubscribe: 
> http://www.redhat.com/mailman/listinfo/fedora-test-list
-- 
Guy Fraser
Network Administrator
The Internet Centre
1-888-450-6787
(780)450-6787