[Snort-users] Port open question

Joe Matusiewicz joem at ...692...
Wed Apr 4 12:50:27 EDT 2001

At 12:04 PM 4/4/01, Kevin.Brown at ...1022... wrote:
>I'm trying to figure out what program is running on my Sparc (Solaris 7) and
>using port 2766.  I did a search of the rules and found:
>EXPLOIT nlps x86 solaris overflow
>I tried using `netstat -a` to see if port 2766 was listed there, but no
>luck.  This port is only open on one of the sparcs that I control and can't
>figure out why.
>I can telnet to the port (e.g. telnet server 2766) and it opens a connection
>then just sits there.  Any ideas on what it could be?

This doesn't sound good.  Something running on a port and you don't know 
what it is.  Perhaps the version of netstat you're using has been replaced 
by the Bad Guys (TM) if you were r00ted.  If you ran tripwire, you could 
check to see if it was your original netstat binary.  I would bring in 
another version of netstat via floppy from another machine to see what it 
might say is running on that port.  Personally I prefer to use lsof for this.

Good luck....

-- Joe

More information about the Snort-users mailing list