keitharis
asked on
Linux Red Hat ES server security issue
Wen I do a nmap scan of my Red Hat ES server I get the following results:
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
443/tcp open https
3306/tcp open mysql
6000/tcp open X11
32773/tcp open sometimes-rpc9
netstat -lnp gives this result:
tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN
__________________________
3993/cfusion
tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN
First netstat command run as user; second netsat command run as root
I am trying to figure what is actually happening on port 32773 and if it could be a security risk.
I have used Bastille to "harden" the security on my server but am really stuck on unserstanding what:::
32773/tcp open sometimes-rpc9 actually means in regard to a potential security problem for my server.
Thank you much in advance for any help you can provide in answer to this perplexing question.
Keith Henriques
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
443/tcp open https
3306/tcp open mysql
6000/tcp open X11
32773/tcp open sometimes-rpc9
netstat -lnp gives this result:
tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN
__________________________
3993/cfusion
tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN
First netstat command run as user; second netsat command run as root
I am trying to figure what is actually happening on port 32773 and if it could be a security risk.
I have used Bastille to "harden" the security on my server but am really stuck on unserstanding what:::
32773/tcp open sometimes-rpc9 actually means in regard to a potential security problem for my server.
Thank you much in advance for any help you can provide in answer to this perplexing question.
Keith Henriques
ASKER
Hello xDamox:
When I run netstat -nap I get this result re: Port Number 32773
I don't think this tells me much except that the port appears to be open. Is this true??
I will appreciate any help you can provide to help me resolve this issue.
Pid Program Name Foreign Address STATE
EN 0 0.0.0.0.:32773 0.0.0.0.* LISTEN
tcp
Thank you in advance
Keith Henriques
When I run netstat -nap I get this result re: Port Number 32773
I don't think this tells me much except that the port appears to be open. Is this true??
I will appreciate any help you can provide to help me resolve this issue.
Pid Program Name Foreign Address STATE
EN 0 0.0.0.0.:32773 0.0.0.0.* LISTEN
tcp
Thank you in advance
Keith Henriques
Hi,
try running: nmap -sV -O 127.0.0.1 this will do a vesion check.
This one will work excellent first issue:
fuser 32773/tcp
this will give you a PID now with the PIDS just do:
ps aux | grep PIDNUMBER
try running: nmap -sV -O 127.0.0.1 this will do a vesion check.
This one will work excellent first issue:
fuser 32773/tcp
this will give you a PID now with the PIDS just do:
ps aux | grep PIDNUMBER
ASKER
Hello xDamox:
When I run the grep program I get
grep: 3994: No such file or directory
grep: 3995: No such file or directory
(etc.)
For all the PIDS for 32773/tcp
I am not sure what that actually means. Hope you can help
nmap -sV -O 127.0.0.1 does not work: however, nmap -sU -0 127.0.0.1 gives teh following:
(The 1465 ports scanned but not shown below are in state: closed)
Port State Service
111/udp open sunrpc
123/udp open ntp
641/udp open unknown
Thank you for your help and considerations.
Keith Henriques
When I run the grep program I get
grep: 3994: No such file or directory
grep: 3995: No such file or directory
(etc.)
For all the PIDS for 32773/tcp
I am not sure what that actually means. Hope you can help
nmap -sV -O 127.0.0.1 does not work: however, nmap -sU -0 127.0.0.1 gives teh following:
(The 1465 ports scanned but not shown below are in state: closed)
Port State Service
111/udp open sunrpc
123/udp open ntp
641/udp open unknown
Thank you for your help and considerations.
Keith Henriques
So when you did:
fuser 32773/tcp
you got a list of PIDS correct? when you do ps aux | grep PID it should show you the program.
When you run netstat -nap | more do you get something like:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2336/mysqld
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 2201/mDNSResponder
tcp 0 0 127.0.0.1:55408 127.0.0.1:80 TIME_WAIT -
tcp 0 0 127.0.0.1:37075 127.0.0.1:443 TIME_WAIT -
tcp 0 0 192.168.0.2:34449 64.233.183.19:80 ESTABLISHED 2906/firefox-bin
tcp 0 0 192.168.0.2:54670 64.124.0.94:6667 ESTABLISHED 2913/xchat
tcp 0 0 192.168.0.2:52108 64.233.183.83:80 ESTABLISHED 2906/firefox-bin
tcp 0 0 127.0.0.1:51698 127.0.0.1:22 TIME_WAIT -
tcp 0 0 127.0.0.1:3306 127.0.0.1:37811 TIME_WAIT -
tcp 0 0 :::80 :::* LISTEN 2369/httpd
tcp 0 0 :::22 :::* LISTEN 2245/sshd
tcp 0 0 :::443 :::* LISTEN 2369/httpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1916/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2201/mDNSResponder
raw 0 0 0.0.0.0:6 0.0.0.0:* 7 2471/portsentry
raw 0 0 0.0.0.0:17 0.0.0.0:* 7 2473/portsentry
Have a read of this its what I said but it goes a little more in detail:
http://www.zcentric.com/wiki/tiki-index.php?page=What+is+running+on+that+port
fuser 32773/tcp
you got a list of PIDS correct? when you do ps aux | grep PID it should show you the program.
When you run netstat -nap | more do you get something like:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2336/mysqld
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 2201/mDNSResponder
tcp 0 0 127.0.0.1:55408 127.0.0.1:80 TIME_WAIT -
tcp 0 0 127.0.0.1:37075 127.0.0.1:443 TIME_WAIT -
tcp 0 0 192.168.0.2:34449 64.233.183.19:80 ESTABLISHED 2906/firefox-bin
tcp 0 0 192.168.0.2:54670 64.124.0.94:6667 ESTABLISHED 2913/xchat
tcp 0 0 192.168.0.2:52108 64.233.183.83:80 ESTABLISHED 2906/firefox-bin
tcp 0 0 127.0.0.1:51698 127.0.0.1:22 TIME_WAIT -
tcp 0 0 127.0.0.1:3306 127.0.0.1:37811 TIME_WAIT -
tcp 0 0 :::80 :::* LISTEN 2369/httpd
tcp 0 0 :::22 :::* LISTEN 2245/sshd
tcp 0 0 :::443 :::* LISTEN 2369/httpd
udp 0 0 0.0.0.0:68 0.0.0.0:* 1916/dhclient
udp 0 0 0.0.0.0:5353 0.0.0.0:* 2201/mDNSResponder
raw 0 0 0.0.0.0:6 0.0.0.0:* 7 2471/portsentry
raw 0 0 0.0.0.0:17 0.0.0.0:* 7 2473/portsentry
Have a read of this its what I said but it goes a little more in detail:
http://www.zcentric.com/wiki/tiki-index.php?page=What+is+running+on+that+port
ASKER
Hello xDamox:
Very sorry!! Thank you also for the helpful link for infromation.
I got the grep command to work fine and traced all the PIDS with grep. All the PIDS (40 or so) identify my Coldfusion server
program which I have running on my Linux ES server. I need Coldfusion for my web and mysql presentations of data. I would appreciate and value your opinnion on the potential security risk of Coldfusion using :
32773/tcp open sometimes-rpc9
with port 32773/tcp open for Coldfusion.
Here is a copy of one of the grep commands. All the PIDS produce the same basic result:
keith 1140 0.0 8.7 814932 22032 ? S Aug11 0:00 /opt/coldfusionmx/bin/cfus
root 26417 0.0 0.2 3692 664 pts/0 S 06:49 0:00 grep 1140
Look forward to hearing back from you again.
Thank you in advance.
Keith
Very sorry!! Thank you also for the helpful link for infromation.
I got the grep command to work fine and traced all the PIDS with grep. All the PIDS (40 or so) identify my Coldfusion server
program which I have running on my Linux ES server. I need Coldfusion for my web and mysql presentations of data. I would appreciate and value your opinnion on the potential security risk of Coldfusion using :
32773/tcp open sometimes-rpc9
with port 32773/tcp open for Coldfusion.
Here is a copy of one of the grep commands. All the PIDS produce the same basic result:
keith 1140 0.0 8.7 814932 22032 ? S Aug11 0:00 /opt/coldfusionmx/bin/cfus
root 26417 0.0 0.2 3692 664 pts/0 S 06:49 0:00 grep 1140
Look forward to hearing back from you again.
Thank you in advance.
Keith
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try this:
netstat -nap
it should give you a name of what it is running.