[Snort-users] Port open question

Patrick M. Sharkey psharkey at ...1743...
Wed Apr 4 13:26:58 EDT 2001


At 09:04 AM 4/4/2001 -0700, you wrote:
>I'm trying to figure out what program is running on my Sparc (Solaris 7) and
>using port 2766.  I did a search of the rules and found:
>
>EXPLOIT nlps x86 solaris overflow
>
>I tried using `netstat -a` to see if port 2766 was listed there, but no
>luck.  This port is only open on one of the sparcs that I control and can't
>figure out why.
>
>I can telnet to the port (e.g. telnet server 2766) and it opens a connection
>then just sits there.  Any ideas on what it could be?

Try using "lsof -P -n -a -i | grep 2766" to determine which process is bound to port 2766. You will have to download (ftp://vic.cc.purdue.edu/pub/tools/unix/lsof) and compile lsof as it does not come bundled with Solaris 7.

You can also compare the MD5 checksum of your netstat binary, or any other Solaris binary, against the checksum database on SunSolve (http://sunsolve.Sun.COM/pub-cgi/fileFingerprints.pl) if you suspect that your system has been compromised.




       Patrick Sharkey
Senior Member Technical Staff
   Network & Communications
    C.S. Draper Laboratory
      voice 617.258.1222
       fax 617.258.2705
     psharkey at ...1743...





More information about the Snort-users mailing list