sniffer bots and programs

I have recently had a message from MSEC telling me there was a new user listening at port 12. It was blacklisted and no further warnings have been seen. I am running Mageia 2 with KDE 4 desktop. I looked at /var/log/security/mail.daily.today and saw the following:
*** Security Check, Nov 23 09:15:16 ***
*** Check type: daily ***
*** Check executed from: /etc/cron.daily/msec ***
Report summary:
Test started: Nov 23 09:15:16
Test finished: Nov 23 09:15:22
Total of open network ports: 34
Total of configured firewall rules: 101
Total local users: 29
Total local group: 52

Detailed report:

These are the ports listening on your machine :
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State Program name
tcp 0 0 *:ipp : LISTEN cupsd
tcp 0 0 *:omniorb : LISTEN java
tcp 0 0 *:microsoft-ds : LISTEN smbd
tcp 0 0 *:nfs : LISTEN -
tcp 0 0 *:38210 : LISTEN rpc.mountd
tcp 0 0 *:47911 : LISTEN -
tcp 0 0 *:netbios-ssn : LISTEN smbd
tcp 0 0 *:49100 : LISTEN rpc.mountd
tcp 0 0 *:59694 : LISTEN rpc.mountd
tcp 0 0 *:52239 : LISTEN rpc.statd
tcp 0 0 *:sunrpc : LISTEN rpcbind
tcp 0 0 localhost:7634 : LISTEN hddtemp
udp 0 0 *:nfs : -
udp 0 0 *:52290 : avahi-daemon: r
udp 0 0 *:bootpc : dhclient
udp 0 0 *:47175 : rpc.mountd
udp 0 0 *:sunrpc : rpcbind
udp 0 0 *:ipp : cupsd
udp 0 0 192.168.0.255:netbios-ns : nmbd
udp 0 0 localhost:netbios-ns : nmbd
udp 0 0 *:netbios-ns : nmbd
udp 0 0 192.168.0.255:netbios-dgm : nmbd
udp 0 0 localhost:netbios-dgm : nmbd
udp 0 0 *:netbios-dgm : nmbd
udp 0 0 localhost:676 : rpc.statd
udp 0 0 *:mdns : avahi-daemon: r
udp 0 0 *:26393 : dhclient
udp 0 0 *:34606 : rpc.statd
udp 0 0 *:48472 : -
udp 0 0 *:58728 : rpc.mountd
udp 0 0 *:53702 : rpc.mountd
udp 0 0 *:1003 : rpcbind

I am concerned about the entries mentioning microsoft, the ones with no name, those called mdns and nmbd. Can anyone please advise?

They are services that allow your Linux PC talk to Windows PC’s on your local network … nothing to worry about.

Thanks for your reply. Maybe you missed something. I ran this machine since last september on this op system but the things I was concerned about only appeared on my security log in the last few weeks. If they are standard system items, why were they not there from day 1? I am a retired IT consultant, worked in system security and I know about the latest m/soft nastys and I think this is their doing. Your further comments welcome.

tcp 0 0 *:microsoft-ds *:* LISTEN smbd
microsoft-ds is just the service/protocol name for tcp and udp port 445 Take a look at this port list And Samba port usage here.

Windows “nasties” aren’t going to be able to start Linux services.

Your original question said you were concerned with the entries containing microsoft-ds, mdns, nmdb and the blank entries in your netstat -tulpn output.

microsoft-ds, mdns, and nmdb are all Linux network components usually to do with samba … as to why they’ve only recently started to show up - I don’t know … have you installed anything lately that may have installed samba as a dependency ? … or possibly something that changed what netstat was returning ?

Quite why nfs and all the “rpc” stuff is loaded … again I don’t know … and again you’ll want to check if anything has been installed lately that might have installed that stuff as dependencies.

As for the entries without names … you could try to discover what user/process owns them … this might help:

so you might want to try:

sudo lsof -i :nfs

and

sudo lsof -i :47911

and

sudo lsof -i :48472

and see if that gives you any useful info

Thanks for the advice, it all looks good. I recently did an update so dependencies could explain. I will look further but please bear with me, I had a stroke yesterday and am just waiting to return to hospital, next 24 hours will tell if my problems are PC based or worse than that. Typing with one hand is no fun.