Author Topic: sniffer bots and programs  (Read 5623 times)

0 Members and 1 Guest are viewing this topic.

Offline joeclem111

  • Jr. Member
  • **
  • Posts: 12
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
sniffer bots and programs
« on: November 23, 2013, 09:58:30 am »
I have recently had a message from MSEC telling me there was a new user listening at port 12. It was blacklisted and no further warnings have been seen. I am running Mageia 2 with KDE 4 desktop. I looked at /var/log/security/mail.daily.today and saw the following:
*** Security Check, Nov 23 09:15:16 ***
*** Check type: daily ***
*** Check executed from: /etc/cron.daily/msec ***
Report summary:
Test started: Nov 23 09:15:16
Test finished: Nov 23 09:15:22
Total of open network ports: 34
Total of configured firewall rules: 101
Total local users: 29
Total local group: 52

Detailed report:

These are the ports listening on your machine :
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       Program name
tcp        0      0 *:ipp                       *:*                         LISTEN      cupsd
tcp        0      0 *:omniorb                   *:*                         LISTEN      java
tcp        0      0 *:microsoft-ds              *:*                         LISTEN      smbd
tcp        0      0 *:nfs                       *:*                         LISTEN      -
tcp        0      0 *:38210                     *:*                         LISTEN      rpc.mountd
tcp        0      0 *:47911                     *:*                         LISTEN      -
tcp        0      0 *:netbios-ssn               *:*                         LISTEN      smbd
tcp        0      0 *:49100                     *:*                         LISTEN      rpc.mountd
tcp        0      0 *:59694                     *:*                         LISTEN      rpc.mountd
tcp        0      0 *:52239                     *:*                         LISTEN      rpc.statd
tcp        0      0 *:sunrpc                    *:*                         LISTEN      rpcbind
tcp        0      0 localhost:7634              *:*                         LISTEN      hddtemp
udp        0      0 *:nfs                       *:*                                     -
udp        0      0 *:52290                     *:*                                     avahi-daemon: r
udp        0      0 *:bootpc                    *:*                                     dhclient
udp        0      0 *:47175                     *:*                                     rpc.mountd
udp        0      0 *:sunrpc                    *:*                                     rpcbind
udp        0      0 *:ipp                       *:*                                     cupsd
udp        0      0 192.168.0.255:netbios-ns    *:*                                     nmbd
udp        0      0 localhost:netbios-ns        *:*                                     nmbd
udp        0      0 *:netbios-ns                *:*                                     nmbd
udp        0      0 192.168.0.255:netbios-dgm   *:*                                     nmbd
udp        0      0 localhost:netbios-dgm       *:*                                     nmbd
udp        0      0 *:netbios-dgm               *:*                                     nmbd
udp        0      0 localhost:676               *:*                                     rpc.statd
udp        0      0 *:mdns                      *:*                                     avahi-daemon: r
udp        0      0 *:26393                     *:*                                     dhclient
udp        0      0 *:34606                     *:*                                     rpc.statd
udp        0      0 *:48472                     *:*                                     -
udp        0      0 *:58728                     *:*                                     rpc.mountd
udp        0      0 *:53702                     *:*                                     rpc.mountd
udp        0      0 *:1003                      *:*                                     rpcbind

I am concerned about the entries mentioning microsoft, the ones with no name, those called mdns and nmbd. Can anyone  please advise?

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18208
  • Karma: 476
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: sniffer bots and programs
« Reply #1 on: November 23, 2013, 12:10:19 pm »
They are services that allow your Linux PC talk to Windows PC's on your local network .. nothing to worry about.
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline joeclem111

  • Jr. Member
  • **
  • Posts: 12
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: sniffer bots and programs
« Reply #2 on: November 23, 2013, 09:40:03 pm »
Thanks for your reply. Maybe you missed something. I ran this machine since last september on this op system but the things I was concerned about only appeared on my security log in the last few weeks. If they are standard system items, why were they not there from day 1? I am a retired IT consultant, worked in system security and I know about the latest m/soft nastys and I think this is their doing. Your  further comments welcome.

Offline SeZo

  • Hero Member
  • *****
  • Posts: 1832
  • Karma: 142
  • Gender: Male
    • View Profile
    • Awards
Re: sniffer bots and programs
« Reply #3 on: November 23, 2013, 10:20:16 pm »
Quote
tcp        0      0 *:microsoft-ds              *:*                         LISTEN      smbd

microsoft-ds is just the service/protocol name for tcp and udp port 445
Take a look at this port list
And Samba port usage here.
« Last Edit: November 23, 2013, 10:28:47 pm by SeZo »

Offline Mark Greaves (PCNetSpec)

  • Administrator
  • Hero Member
  • *****
  • Posts: 18208
  • Karma: 476
  • Gender: Male
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
    • Awards
Re: sniffer bots and programs
« Reply #4 on: November 23, 2013, 11:06:51 pm »
Windows "nasties" aren't going to be able to start Linux services.

Your original question said you were concerned with the entries containing microsoft-ds, mdns, nmdb and the blank entries in your netstat -tulpn output.

microsoft-ds, mdns, and nmdb are all Linux network components usually to do with samba .. as to why they've only recently started to show up - I don't know .. have you installed anything lately that may have installed samba as a dependency ? .. or possibly something that changed what netstat was returning ?

Quite why nfs and all the "rpc" stuff is loaded .. again I don't know .. and again you'll want to check if anything has been installed lately that might have installed that stuff as dependencies.

As for the entries without names .. you could try to discover what user/process owns them .. this might help:
http://www.cyberciti.biz/faq/find-linux-what-running-on-port-80-command/

so you might want to try:
Code: [Select]
sudo lsof -i :nfs
and
Code: [Select]
sudo lsof -i :47911
and
Code: [Select]
sudo lsof -i :48472
and see if that gives you any useful info
WARNING: You are logged into reality as 'root'
logging in as 'insane' is the only safe option.
pcnetspec.co.uk

Offline joeclem111

  • Jr. Member
  • **
  • Posts: 12
  • Karma: 0
  • I've just joined!
    • View Profile
    • Awards
Re: sniffer bots and programs
« Reply #5 on: November 24, 2013, 08:40:34 am »
Thanks for the advice, it all looks good. I recently did an update so dependencies could explain. I will look further but please bear with me, I had a stroke yesterday and am just waiting to return to hospital, next 24 hours will tell if my problems are PC based or worse than that. Typing with one hand is no fun.

 


SimplePortal 2.3.3 © 2008-2010, SimplePortal