[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Closing port



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Soheila Khademi wrote:

> Recently one of my server attack by a person, he make a direstory
> in my  /dev/ida/ path with .sys/aw name, I see open ports in my
> machine by nmap  command and I see: 
>  
> Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
> Interesting ports on cisgate.iut.ac.ir (213.29.206.17):
> (The 1531 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 111/tcp    open        sunrpc
> 443/tcp    open        https
> 515/tcp    open        printer
> 993/tcp    open        imaps
> 995/tcp    open        pop3s
> 3128/tcp   open        squid-http
> 6000/tcp   open        X11
> 32774/tcp  open        sometimes-rpc11
> 
>  I don't know anything about sometimes-rpc11 port, and I don't know
> about  this, How I can close this port, and what I must do for keep
> my server  from attacking???
> And  I want know how he attack my server.
> Ps. My OS is linux redhat 7.2
> By regards khademi

It is apparent from the number of open ports and their respective
names, that you have many services running which are most probably
un-used at this point, and having been so, are probably not patched
either. Smells like a default install !

What you should do is run ' ps -aux ' and ascertain the PID's of the
daemons providing these services, subsequently killing them.
Secondly, if this isn't a server at all, i'd suggest killing 'inetd'
........ ' ps -aux | grep inetd ' ; killall -9 inetd

Thirdly, check on the appropriate redhat site for patched and
upgrades, and update your system regularly 
Make sure all these services that are shown from the scan you have
provided us, are properly patched.

If the process running port 32774 for sometimes-rpc11 is indeed an
rpc process you may confirm this by running 'rpcinfo -p'.

Last of all, use the following IPCHAINS command, and additionally
enter it into /etc/rc.d/rc.local so that its parsed at startup : 

ipchains -A input -s 0.0.0.0 -d <YOUR IP ADDRESS> -p 32774 -j REJECT
- -l
- ----------------------------------
With Best Regards,

Ali Saifullah Khan,

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services, (Pvt.) Ltd.
Key ID               : 0xA3B7379C 
Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPdEOldiHypejtzecEQIZ9gCfe+CmcyiumkEL5q/q3Zyzs6/FdfAAnjqk
OXqVbnrbRwLu7hi1yk10zP7+
=gBBy
-----END PGP SIGNATURE-----


------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux