[Snort-users] Port open question
joem at ...692...
Wed Apr 4 12:50:27 EDT 2001
At 12:04 PM 4/4/01, Kevin.Brown at ...1022... wrote:
>I'm trying to figure out what program is running on my Sparc (Solaris 7) and
>using port 2766. I did a search of the rules and found:
>EXPLOIT nlps x86 solaris overflow
>I tried using `netstat -a` to see if port 2766 was listed there, but no
>luck. This port is only open on one of the sparcs that I control and can't
>figure out why.
>I can telnet to the port (e.g. telnet server 2766) and it opens a connection
>then just sits there. Any ideas on what it could be?
This doesn't sound good. Something running on a port and you don't know
what it is. Perhaps the version of netstat you're using has been replaced
by the Bad Guys (TM) if you were r00ted. If you ran tripwire, you could
check to see if it was your original netstat binary. I would bring in
another version of netstat via floppy from another machine to see what it
might say is running on that port. Personally I prefer to use lsof for this.
More information about the Snort-users