Open ports

Hello gentlemen,

I received an e-mail about ports being open on a webserver which im
renting for a project. It all sounded a bit suspicious to me so
basically I ran a port checker on it and I wondered whether anyone
could tell me if the results are normal or whether something is wrong?

1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
79/tcp open finger
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
113/tcp open auth
119/tcp open nntp
139/tcp open netbios-ssn
143/tcp open imap
443/tcp open https
445/tcp open microsoft-ds
540/tcp open uucp
635/tcp open unknown
993/tcp open imaps
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
3306/tcp open mysql
6667/tcp open irc
8080/tcp open http-proxy
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k

Most kind regards,

Martijn

Ever heard of Gibson Research?
Click on Shields Up.


http://www.grc.com/intro.htm

Navigate into it, there is a section on Probe my Ports.
Of the 64,000 open ports, they give a good bit of info on each.

I just realized you have a gmail id. So this is probably SPAM..


> I received an e-mail about ports being open on a webserver which im
> renting for a project. It all sounded a bit suspicious to me so
> basically I ran a port checker on it and I wondered whether anyone
> could tell me if the results are normal or whether something is wrong?
>
> 1/tcp open tcpmux
> 11/tcp open systat
> 15/tcp open netstat
> 21/tcp open ftp
> 22/tcp open ssh
> 25/tcp open smtp
> 79/tcp open finger
> 80/tcp open http
> 110/tcp open pop3
> 111/tcp open rpcbind
> 113/tcp open auth
> 119/tcp open nntp
> 139/tcp open netbios-ssn
> 143/tcp open imap
> 443/tcp open https
> 445/tcp open microsoft-ds
> 540/tcp open uucp
> 635/tcp open unknown
> 993/tcp open imaps
> 1080/tcp open socks
> 1524/tcp open ingreslock
> 2000/tcp open callbook
> 3306/tcp open mysql
> 6667/tcp open irc
> 8080/tcp open http-proxy
> 8081/tcp open blackice-icecap
> 8082/tcp open blackice-alerts
> 12345/tcp open NetBus
> 12346/tcp open NetBus
> 27665/tcp open Trinoo_Master
> 31337/tcp open Elite
> 32771/tcp open sometimes-rpc5
> 32772/tcp open sometimes-rpc7
> 32773/tcp open sometimes-rpc9
> 32774/tcp open sometimes-rpc11
> 54320/tcp open bo2k
>
> Most kind regards,
>
> Martijn

Martijn Berendsen wrote:
> Hello gentlemen,
>
> I received an e-mail about ports being open on a webserver which im
> renting for a project. It all sounded a bit suspicious to me so
> basically I ran a port checker on it and I wondered whether anyone
> could tell me if the results are normal or whether something is wrong?
>
> [snip lots of ports]

Just run netstat from the command line on your server.
Having as many ports open as you do means your server is running a bunch
of junk it probably doesn't need. It also probably means your firewall
isn't worth a damn, either.

Thanks gents, I'm having a look at those

Googling "54320/tcp open bo2k" brought me to information about a
program called BackOrifice. Is the server compromised?

On Mon, 02 Jun 2008 01:22:48 -0700, Martijn Berendsen rearranged some
electrons to say:

> Thanks gents, I'm having a look at those
>
> Googling "54320/tcp open bo2k" brought me to information about a program
> called BackOrifice. Is the server compromised?

http://en.wikipedia.org/wiki/Back_Orifice_2000

On Mon, 02 Jun 2008 01:22:48 -0700, Martijn Berendsen rearranged some
electrons to say:

> Thanks gents, I'm having a look at those
>
> Googling "54320/tcp open bo2k" brought me to information about a program
> called BackOrifice. Is the server compromised?

and this:

http://bo2k.sourceforge.net/docs/bo2k_legitimacy.html