From owner-freebsd-net@FreeBSD.ORG  Tue Aug 24 04:37:56 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6AB7C16A4CE
	for <freebsd-net@freebsd.org>; Tue, 24 Aug 2004 04:37:56 +0000 (GMT)
Received: from relay.pair.com (relay.pair.com [209.68.1.20])
	by mx1.FreeBSD.org (Postfix) with SMTP id BBEEC43D3F
	for <freebsd-net@freebsd.org>; Tue, 24 Aug 2004 04:37:55 +0000 (GMT)
	(envelope-from silby@silby.com)
Received: (qmail 24625 invoked from network); 24 Aug 2004 04:37:54 -0000
Received: from niwun.pair.com (HELO localhost) (209.68.2.70)
  by relay.pair.com with SMTP; 24 Aug 2004 04:37:54 -0000
X-pair-Authenticated: 209.68.2.70
Date: Mon, 23 Aug 2004 23:37:53 -0500 (CDT)
From: Mike Silbersack <silby@silby.com>
To: Bob Ababurko <ababurko@adelphia.net>
In-Reply-To: <5.2.1.1.0.20040824002044.00aded88@mail.dc2.adelphia.net>
Message-ID: <20040823233645.D1165@odysseus.silby.com>
References: <5.2.1.1.0.20040824002044.00aded88@mail.dc2.adelphia.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
cc: freebsd-net@freebsd.org
Subject: Re: portscan looks like.....
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2004 04:37:56 -0000


On Tue, 24 Aug 2004, Bob Ababurko wrote:

> Hello-
>
>  I have just done a portscan on my FreeBSD box running 5.2.1 and got :
>
> PORT     STATE SERVICE
> 22/tcp   open  ssh
> 25/tcp   open  smtp
> 80/tcp   open  http
> 111/tcp  open  rpcbind
> 1023/tcp open  netvenuechat
>
> now, i made a faux pas when i configured this machine and had made this a nfs 
> client...i belive that was the case.  I am now interested in turning this 
> off, and will be able to do that with rpcbind_enable="NO" in rc.conf.
>    Then there is the case of the port 1023.  I have no idea how to turn this 
> off or how it got turned on.  Could the rpcbind allowed someone into my 
> computer to hack it up?  I am pretty scared at this point.  Can somone help 
> me?
>
> thanks,
> Bob

Use sockstat to see which program is attached to which socket.  IIRC, RPC 
services are assigned semi-random ports, so 1023 might be what one of the 
NFS services was assigned that time.

Mike "Silby" Silbersack