[Snort-users] Port open question

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Wed Apr 4 13:23:50 EDT 2001


OK, thanks for all the input.  I was finally able to stop the process
(nlsadmin).  I was just slamming my head into a wall trying to figure out what
device it wanted me to tell it to stop listening on.  Ended up figuring out
that it didn't want the interface device, but the protocol (tcp, not hme0).

> >I'm trying to figure out what program is running on my Sparc (Solaris 7) and
> >using port 2766.  I did a search of the rules and found:
> >
> >EXPLOIT nlps x86 solaris overflow
> >
> >I tried using `netstat -a` to see if port 2766 was listed there, but no
> >luck.  This port is only open on one of the sparcs that I control and can't
> >figure out why.
> >
> >I can telnet to the port (e.g. telnet server 2766) and it opens a connection
> >then just sits there.  Any ideas on what it could be?
> 
> This doesn't sound good.  Something running on a port and you don't know 
> what it is.  Perhaps the version of netstat you're using has been replaced 
> by the Bad Guys (TM) if you were r00ted.  If you ran tripwire, you could 
> check to see if it was your original netstat binary.  I would bring in 
> another version of netstat via floppy from another machine to see what it 
> might say is running on that port.  Personally I prefer to use lsof for this.
> 
> Good luck....
> 
> 
> -- Joe
> 
> 





More information about the Snort-users mailing list