Re: [vserver] rkhunter Warns: Hidden ports found:

From: Bendtsen, Jon <Jon.Bendtsen_at_laerdal.dk>
Date: Thu 24 Oct 2013 - 15:21:36 BST
Message-ID: <DADEEB5D-C6BC-4936-B033-9E7496E88860@laerdal.dk>

On 24/10/2013, at 15.56, Fiedler Roman <Roman.Fiedler@ait.ac.at> wrote:

>> Von: Ghislain [mailto:gadnet@aqueos.com]
>>
>>> cd /etc/vserver; ls | while read name; do vserver "${name}" exec
>> netstat -nlp; done Roman
>>
>> I think you meant :
>>
>> vsomething vserver -- --running -- exec netstat -nlp
>
> If I had known it, I should have meant that.

vsomething does not appear to work for me. But here are netstat output

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 7219/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3830/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8765/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 15807 7219/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 13154 6715/dbus-daemon /var/run/dbus/system_bus_socket
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 6128/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7226/sshd
udp 0 0 0.0.0.0:54414 0.0.0.0:* 6193/dhcpd
udp 0 0 0.0.0.0:53 0.0.0.0:* 6128/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 6193/dhcpd
raw 0 0 0.0.0.0:1 0.0.0.0:* 7 6193/dhcpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 7141/ngircd
tcp 0 0 0.0.0.0:6668 0.0.0.0:* LISTEN 7141/ngircd
tcp 0 0 0.0.0.0:6669 0.0.0.0:* LISTEN 7141/ngircd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5986/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7396/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3690 0.0.0.0:* LISTEN 7683/inetd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 21507/smbd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3088/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 21305/sshd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 21507/smbd
udp 0 0 192.168.123.255:137 0.0.0.0:* 21502/nmbd
udp 0 0 192.168.123.225:137 0.0.0.0:* 21502/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 21502/nmbd
udp 0 0 192.168.123.255:138 0.0.0.0:* 21502/nmbd
udp 0 0 192.168.123.225:138 0.0.0.0:* 21502/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 21502/nmbd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 14202 7677/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 13226163 21460/winbindd /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 13226162 21460/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 13224315 19997/ssh-agent /tmp/ssh-UFAiQ19996/agent.19996
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 6790/mysqld
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5546/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7926/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 15760 8135/winbindd /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 14144 6790/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 15759 8135/winbindd /tmp/.winbindd/pipe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6195/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 8078/sshd
tcp 0 0 0.0.0.0:2401 0.0.0.0:* LISTEN 22085/inetd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 842803 11810/apache2 /var/run/apache2/cgisock.6195
unix 2 [ ACC ] STREAM LISTENING 16115 8268/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 16116 8268/winbindd /var/run/samba/winbindd_privileged/pipe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:873 0.0.0.0:* LISTEN 30432/inetd
tcp 0 0 0.0.0.0:3690 0.0.0.0:* LISTEN 30432/inetd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 9438/smbd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 7261/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9447/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 9389/exim4
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 9438/smbd
tcp 0 0 0.0.0.0:2401 0.0.0.0:* LISTEN 30432/inetd
udp 0 0 192.168.123.255:137 0.0.0.0:* 9435/nmbd
udp 0 0 192.168.123.3:137 0.0.0.0:* 9435/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 9435/nmbd
udp 0 0 192.168.123.255:138 0.0.0.0:* 9435/nmbd
udp 0 0 192.168.123.3:138 0.0.0.0:* 9435/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 9435/nmbd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 17022 9114/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 17641 9470/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 17526 9435/nmbd /var/run/samba/unexpected
unix 2 [ ACC ] STREAM LISTENING 17642 9470/winbindd /var/run/samba/winbindd_privileged/pipe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:548 0.0.0.0:* LISTEN 7379/afpd
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 7743/smbd
tcp 0 0 192.168.123.218:80 0.0.0.0:* LISTEN 5132/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7778/sshd
tcp 0 0 127.0.0.1:4700 0.0.0.0:* LISTEN 7284/cnid_metad
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 7743/smbd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 6895/avahi-daemon:
udp 0 0 192.168.123.255:137 0.0.0.0:* 7642/nmbd
udp 0 0 192.168.123.218:137 0.0.0.0:* 7642/nmbd
udp 0 0 0.0.0.0:137 0.0.0.0:* 7642/nmbd
udp 0 0 192.168.123.255:138 0.0.0.0:* 7642/nmbd
udp 0 0 192.168.123.218:138 0.0.0.0:* 7642/nmbd
udp 0 0 0.0.0.0:138 0.0.0.0:* 7642/nmbd
udp 0 0 0.0.0.0:42049 0.0.0.0:* 6895/avahi-daemon:
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 14967 7865/winbindd /tmp/.winbindd/pipe
unix 2 [ ACC ] STREAM LISTENING 14980 7865/winbindd /var/run/samba/winbindd_privileged/pipe
unix 2 [ ACC ] STREAM LISTENING 13549 6895/avahi-daemon: /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 13426 6812/dbus-daemon /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 14335 7642/nmbd /var/run/samba/unexpected

And here are the entire list of ports that rkhunter complains about

root@dkVserver:/home/jonbendtsen# rkhunter --rwo --check
Warning: Hidden ports found:
         Port number: TCP:139
         Port number: TCP:2401
         Port number: TCP:25
         Port number: TCP:3306
         Port number: TCP:35026
         Port number: TCP:3690
         Port number: TCP:39764
         Port number: TCP:39955
         Port number: TCP:42239
         Port number: TCP:42916
         Port number: TCP:43605
         Port number: TCP:44070
         Port number: TCP:445
         Port number: TCP:45393
         Port number: TCP:46028
         Port number: TCP:46640
         Port number: TCP:46709
         Port number: TCP:4700
         Port number: TCP:50479
         Port number: TCP:50601
         Port number: TCP:53
         Port number: TCP:54424
         Port number: TCP:548
         Port number: TCP:54865
         Port number: TCP:55039
         Port number: TCP:57149
         Port number: TCP:58738
         Port number: TCP:6667
         Port number: TCP:6668
         Port number: TCP:6669
         Port number: TCP:80
         Port number: TCP:873
         Port number: UDP:137
         Port number: UDP:138
         Port number: UDP:42049
         Port number: UDP:53
         Port number: UDP:5353
         Port number: UDP:54414
         Port number: UDP:67
Received on Thu Oct 24 15:21:51 2013

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 24 Oct 2013 - 15:21:51 BST by hypermail 2.1.8