We help IT Professionals succeed at work.

Red Hat, xinetd, UDP port 686

phasevar
phasevar asked
on
Medium Priority
1,439 Views
Last Modified: 2013-12-15

distro: Red Hat 7.3

When I do a 'netstat -nl' I find UDP port 686 open.  I do an 'lsof | grep UDP' and I find that xinetd has this port open.  I look in /etc/services and find nothing under port 686.  'grep 686 /etc/xinetd.d/*' turns up nothing.  Why is xinetd binding to UDP port 686 and how do I disable that if need be?
Comment
Watch Question

Commented:
This is what I find that could be using port 686.
hcp-wismar      686/tcp    Hardware Control Protocol Wismar
hcp-wismar      686/udp    Hardware Control Protocol Wismar

Try telnetting to port 686 and check what kind of banner you receieve.
Locally:
telnet localhost 686
Or from a remote machine:
telnet IPADDRESS 686

Author

Commented:

I get a connection refused.  But I don't think I can use telnet to connect to a UDP port.

Commented:
That's true. How stupid of me ;)
Check if you have any non standard services defined in /etc/xinetd.d/ (not that the port may not appear explicitly, so verify if each service should use that port or not)
If you cannot find any, probably either xinetd has been copromised (Verify it with
rpm -V xinetd
assuming your rpm database has not been compronmised too), or one of the services started by xinetd has been compromised.
netstat -p will tell you the name of the program which owns the socket.
HI..

Whether ur server is connected to the internet directly..

without any firewall....

if no firewall than someone is try to access that port...

what is show in netstat .... it is establish the connection or time out...

if firewall is there... disable that port and see the effect...

Author

Commented:
netstat -p and lsof report the same thing.  The socket is owned by xinetd.

It's a listening UDP socket.  There is no connection to be established.

There is no firewall setup.  I close all unncessary open sockets (which is what led me to this problem) and I use tcpwrappers to deny access to unauthorized hosts.

I haven't been able to find any information as to why xinetd is listening on this port nor how to change it.
Well it's more and more probable that you have a compromised xinetd.
Did you check with: ?
rpm -V xinetd
What does it report?

Author

Commented:
'rpm -V xinetd' reports this:

S.5....T c /etc/xinetd.conf
Well that seems ok (or at least the xinetd binary matches the checksum in the database).
Anyway you usually don't need to change xinetd.conf since it's easier to configure services in /etc/xinetd.d. Here xinetd.conf has been changed. Did you already check if you have any service defined for port 686 in /etc/xinetd.conf (besides those in /etc/xinetd.d) ?

Author

Commented:
Yes, I edited xinetd.conf.  I just commented out the log_on_success line.

There are no references to port 686 in xinetd.conf.  Other than my comment it's the distribution file.
Weird, well I have redhat 7.3 too.
netstat -nl doesn't report port 686 open.
"rpm -q xinetd" says
xinetd-2.3.9-0.73
"ps auxw|grep xinetd" says
root      1093  0.0  0.4  2116  872 ?        S    10:32   0:00 xinetd -stayalive -reuse -pidfile /var/run/xinetd.pid
"ls -l /proc/1093/exe (1093 is xinetd PID)" says
/proc/1093/exe -> /usr/sbin/xinetd
Verify that you have the xinetd from /usr/sbin too.
"ls -l /usr/sbin/xinetd" says
-rwxr-xr-x    1 root     root       169755 Oct  2  2002 /usr/sbin/xinetd
and "openssl sha1 /usr/sbin/xinetd" says
SHA1(/usr/sbin/xinetd)= 6c8c700dcb5aa5311099b9e79cfb1e6104b369ec




Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
I shut down xinetd and ran 'xinetd -d' and found that the only service running that was not setup by me was sgi_fam.  I wasn't familiar with sgi_fam so I did some looking around and it appears to be a service to notify programs of file system updates (man fam).  Since this is just a web server, I disabled sgi_fam and now when I do a 'netstat -nl' the port is gone.

I still don't quite understand it since grepping /etc/services returns nothing for port 686.  And this same service seems to be causing UDP port bindings on my other servers, but on different ports (not 686).

Commented:
That is easy.

If you strace or gdb the xinetd, you will find that sgi-fam is the one creating the rogue UDP socket.

This only happens when you dont have portmapper running (do 'service portmapper start' for RedHat).

Once the portmapper is running, the xinetd no longer errors out at the pmap_set() function call and thus no longer creates the rogue UDP socket.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.