ColinM Posted April 24, 2005 Report Share Posted April 24, 2005 (edited) New desktop Dual boot Win98se and Mdk 10.1 oe, two hardrives connected on same cable, Win drive is master. External Serial Aztech 56kbs modem, Agnitum firewall on Win98seOS, and Guarddog on Linux: both activated and correctly setup. I've just installed both OS with default settings on a clean new computer and they work fine. (I installed Agnitum Outpost Firewall free version too.) After connecting to the internet using dial-up I went to one of those online security checkers called 'Shields Up', and ran the test. Everything is OK, except it failed the ping test by responding to a ping request, and more alarmingly told me my Port 23 Telnet is open. This occurs using both the Win OS and Mdk: same result. Telnet is open. Though no evidence it is active. Is this anything to be concerned about? I use the desktop for internet access and uploading files to my website by ftp. I suspect it's wise to shut down the Telnet 23 port, but how do I go about doing that. I've checked in the Mdk MCC and there's no Telnet process listed anywhere. It's configured as a desktop workstation, no Samba, or Lan etc. Something odd which may/not be relevant. In the Guarddog Protocol area it lists all the protocols available. (I've only allowed/checked the DNS, ftp, http, and https boxes) But at the bottom of the tree list is a '?User defined' entity. I noticed a similar entity in the Windows sytem devices listings too. Can't get any info about it, and it looks suspicious. I use an external serial modem and the internal winmodem is disabled. This may be a red-herring, but I mention it in case it is important. Ta! PS. I tried enabling Shorewall first, and with that too, Shields Up detected port 23 telnet open, that is why I disabled Shorewall and tried Guarddog: same result. Edited April 28, 2005 by ColinM Quote Link to comment Share on other sites More sharing options...
devries Posted April 24, 2005 Report Share Posted April 24, 2005 Open a console, log in as root and type: netstat -pant. That will show all open ports and applications listening. And have a look in MCC, system, services to check what is running. Quote Link to comment Share on other sites More sharing options...
ColinM Posted April 24, 2005 Author Report Share Posted April 24, 2005 Open a console, log in as root and type: netstat -pant. That will show all open ports and applications listening. And have a look in MCC, system, services to check what is running. <{POST_SNAPBACK}> Thanks Devries, you've helped me greatly in recent weeks. This site is invaulable. I ran the netstat -pant command, first with my modem switched off... Result not connected with internet: [root@localhost colin]# netstat -pant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3117/X tcp 0 0 :::6000 :::* LISTEN 3117/X [root@localhost colin]# Then I switched the modem on, and dialed up a connection: (Same readout) [root@localhost colin]# netstat -pant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3117/X tcp 0 0 :::6000 :::* LISTEN 3117/X [root@localhost colin]# The I visited this website (MdkUsers) using Firefox browser: (I've edited out the IPs) [root@localhost colin]# netstat -pant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 3117/X tcp 0 0 (my dialup IP):1029 (mozilla's IP):80 ESTABLISHED 4572/firefox-bin tcp 0 0 (my dialup IP):1035 (MdkUser's Site host IP):80 ESTABLISHED 4572/firefox-bin tcp 0 0 (my dialup IP):1030 (my RSS feed IP):80 ESTABLISHED 4572/firefox-bin tcp 0 0 (my dialup IP):1031 (Another News Rss feed IP):80 ESTABLISHED 4572/firefox-bin tcp 0 0 :::6000 :::* LISTEN 3117/X [root@localhost colin]# All this looks OK (so far) to my untrained eye. Here's the other data you requested: MCC>System>Services Running: alsa atd bluetooth (I don't need this I could turn it off) crond dm fam (ticked: start when requested) harddrake iptables stopped: but ticked On boot (I'm using Guarddog, is this OK) keytable keyheader messagebus netfs network numlock partmon shorewall stopped (Not ticked) sound syslog udev xfs xinetd Yet when I go to the 'Shields Up' test, it says Port 23 is open Telnet and I'm very vulnerable. (Previously, when I only had the single HD using Linux, I got the all clear at Shields Up. So it is likely something to do with how the Win98se is reinstalled on the master HD) I get the same result from 'Shileds Up' whichever OS I use, so perhaps the 'Telnet vulnerability' is at the motherborad, modem, or ISP level? Is my port 23 really open and vulnerable to remote Telnet access? Quote Link to comment Share on other sites More sharing options...
ColinM Posted April 24, 2005 Author Report Share Posted April 24, 2005 While you scratch your heads along with me, here's an update. I logged off Linux, and logged in using my Win HD, then tetsed at Shields Up again, on the Win OS. I got the all clear today! All ports closed or stealthed. It replied to a ping test, so failed overall, but at least the Telnet port is closed on the Win OS. Perhaps this is because I fiddled around in the Win>System>Devices and deleted the ?Unknown Device (I think it was a U-Storage USB device) Now when I restart Win, the PnP notices two devices and asks me to select the driver. I cancelled this request. Next time I'll select the driver so it PnPs, then re-test at Shileds up to see if that has anything to do with opening my Port 23. I'll re-test the Mdk OS at Shield's Up again later on. Your advice and comments appreciated. Colin Quote Link to comment Share on other sites More sharing options...
devries Posted April 25, 2005 Report Share Posted April 25, 2005 I don't see anything strange either (port 6000 is for the X sever). To be sure try netstat -panu for udp and run ps aux to check all processes. My guess is something wrong with Shields Up. Quote Link to comment Share on other sites More sharing options...
idud Posted April 25, 2005 Report Share Posted April 25, 2005 Telnetd is in xinetd, once you turn xinetd off telnetd will be killed too. Or you can edit file /etc/xinetd.d/telnet from this: service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no } to this service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes } Then restart xinetd, # service xinetd restart so you can still have xinetd running while telnetd stopped. Quote Link to comment Share on other sites More sharing options...
devries Posted April 25, 2005 Report Share Posted April 25, 2005 Learned something too :) Quote Link to comment Share on other sites More sharing options...
Michel Posted April 25, 2005 Report Share Posted April 25, 2005 Heya, it would also be good to disable the listening of the Xserver. This way you don't have anything listening it seems. If that's true you could maybe even don't run the firewall :). Ofcourse it is better to run it. It's an extra layer of security, also for outgoing connections if they're filtered. Ofcourse, you can argue that the firewall could contains bugs ... Anyway, I'm not a Mandrake-user myself anymore, but I believe you can disable the listening of the Xserver in the security-part of the Mandrake-controlcenter. However, if that doesn't work you can have a look at the following thread: http://mandrakeusers.org/index.php?showtopic=23650&hl= Michel Quote Link to comment Share on other sites More sharing options...
DragonMage Posted April 25, 2005 Report Share Posted April 25, 2005 You know, I just have a thought. Maybe the problem is not in your machine, but your ISP's machine. You see, some ISP have automatic web proxying (I know one ISP in my country does). Since Shield's up is web based, it may scan your ISP's proxy server instead of your own computer. After that few days, maybe the ISP found the vulnerability and then fixed it. Anyway, as far as I know, Windows 98 SE doesn't have a telnet server. I mean, have you tried telnetting into a Windows 98 SE machine through port 23? (like telnet 127.0.0.1). If it doesn't work, then you shouldn't be worried. Quote Link to comment Share on other sites More sharing options...
ColinM Posted April 25, 2005 Author Report Share Posted April 25, 2005 (edited) Fascinating and very helpful replies! Thank you all. I've not changed anything since my last post, just tested at 'Shields UP' and Telnet Port 23 is now closed!? I got the all clear except failed the ping test. (My computer responded to a ping.) From this I gather that the previously open Port 23 was something to do with the 'Unknown Device' I detected and deleted on the Win98se OS. It must've been at the motherboard or modem level to influence the Mdk system too. It'll be interesting to retest after I PnP that, and retest the Mdk OS at Shields Up. Thank you Devries: I ran those commands you gave whilst connected to this board: The result looks OK to me: [root@localhost colin]# netstat -panu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name [root@localhost colin]# ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.4 1408 480 ? S 02:06 0:01 init [5] root 2 0.0 0.0 0 0 ? S 02:06 0:00 [migration/0] root 3 0.0 0.0 0 0 ? SN 02:06 0:00 [ksoftirqd/0] root 4 0.0 0.0 0 0 ? S< 02:06 0:00 [events/0] root 5 0.0 0.0 0 0 ? S< 02:06 0:00 [khelper] root 6 0.0 0.0 0 0 ? S< 02:06 0:00 [kblockd/0] root 32 0.0 0.0 0 0 ? S 02:06 0:00 [kapmd] root 34 0.0 0.0 0 0 ? S 02:06 0:00 [pdflush] root 35 0.0 0.0 0 0 ? S 02:06 0:00 [pdflush] root 37 0.0 0.0 0 0 ? S< 02:06 0:00 [aio/0] root 36 0.0 0.0 0 0 ? S 02:06 0:00 [kswapd0] root 147 0.0 0.0 0 0 ? S 02:06 0:00 [kseriod] root 275 0.0 0.0 0 0 ? S 02:06 0:00 [kjournald] root 410 0.0 0.2 1388 284 ? S<s 02:06 0:00 udevd root 807 0.0 0.0 0 0 ? S 02:06 0:00 [khubd] root 1050 0.0 0.0 0 0 ? S 02:06 0:00 [kjournald] root 2529 0.0 0.3 1420 420 ? Ss 02:06 0:00 /sbin/ifplugd -w root 2553 0.0 0.4 1460 544 ? Ss 02:06 0:00 syslogd -m 0 root 2561 0.0 0.3 2120 416 ? Ss 02:06 0:00 klogd -2 xfs 2913 0.0 1.2 5288 1328 ? Ss 02:06 0:00 xfs -port -1 -dae 72 2938 0.0 0.5 2052 552 ? Ss 02:06 0:00 dbus-daemon-1 --s root 3023 0.0 0.4 2436 492 ? S 02:06 0:00 /usr/bin/mdkkdm - daemon 3026 0.0 0.3 1524 432 ? Ss 02:06 0:00 /usr/sbin/atd root 3033 2.6 8.3 35876 9064 ? S 02:06 0:14 /etc/X11/X -defer root 3080 0.0 1.0 3356 1112 ? S 02:06 0:00 -:0 root 3085 0.0 0.5 1988 564 ? Ss 02:06 0:00 xinetd -stayalive root 3394 0.0 0.4 1448 532 ? Ss 02:06 0:00 crond root 3496 0.0 0.3 1396 400 tty1 Ss+ 02:06 0:00 /sbin/mingetty tt root 3497 0.0 0.3 1396 400 tty2 Ss+ 02:06 0:00 /sbin/mingetty tt root 3498 0.0 0.3 1396 400 tty3 Ss+ 02:06 0:00 /sbin/mingetty tt root 3499 0.0 0.3 1396 400 tty4 Ss+ 02:06 0:00 /sbin/mingetty tt root 3500 0.0 0.3 1396 400 tty5 Ss+ 02:06 0:00 /sbin/mingetty tt root 3501 0.0 0.3 1396 400 tty6 Ss+ 02:06 0:00 /sbin/mingetty tt colin 3956 0.0 0.8 2860 948 ? S 02:06 0:00 /bin/sh /usr/bin/ colin 4008 0.0 2.2 11108 2472 ? S 02:06 0:00 /usr/bin/bluez-pi colin 4029 0.5 6.6 27620 7236 ? S 02:06 0:02 /usr/bin/perl /us colin 4053 0.0 3.2 14756 3552 ? S 02:06 0:00 magicdev colin 4057 0.0 0.5 2432 576 ? S 02:06 0:00 dbus-launch --sh- colin 4062 0.0 0.5 2052 552 ? Ss 02:06 0:00 dbus-daemon-1 --f colin 4079 0.0 0.5 2636 604 ? Ss 02:06 0:00 s2u --daemon=yes colin 4085 0.0 1.4 3808 1600 ? S 02:06 0:00 /usr/lib/gconfd-2 colin 4086 0.0 5.8 22288 6364 ? Ss 02:06 0:00 kdeinit: Running. colin 4089 0.0 5.9 22148 6536 ? S 02:06 0:00 kdeinit: dcopserv colin 4091 0.0 6.9 23860 7588 ? S 02:06 0:00 kdeinit: klaunche colin 4097 0.2 7.7 25108 8452 ? S 02:07 0:01 kdeinit: kded colin 4109 0.1 2.3 10836 2540 ? S 02:07 0:00 /usr/bin/artsd -F colin 4111 0.0 8.0 30376 8780 ? S 02:07 0:00 kdeinit: knotify colin 4112 0.0 0.2 1400 260 ? S 02:07 0:00 kwrapper ksmserve colin 4114 0.0 7.2 23772 7932 ? S 02:07 0:00 kdeinit: ksmserve colin 4118 0.1 8.9 25032 9792 ? S 02:07 0:00 kdeinit: kwin -se colin 4120 0.3 12.0 31996 13108 ? S 02:07 0:01 kdeinit: kdesktop colin 4122 0.5 10.9 27976 11900 ? S 02:07 0:02 kdeinit: kicker colin 4123 0.0 6.1 23400 6736 ? S 02:07 0:00 kdeinit: kio_file colin 4135 0.0 7.5 24168 8272 ? S 02:07 0:00 kdeinit: khotkeys colin 4137 0.0 7.7 24300 8496 ? S 02:07 0:00 kdeinit: kwrited colin 4138 0.1 7.7 23596 8484 ? S 02:07 0:00 kwikdisk -session colin 4140 0.1 9.9 27620 10816 ? S 02:07 0:00 korgac --miniicon colin 4156 0.2 9.5 24064 10392 ? S 02:07 0:01 kppp -icon kppp.p root 4157 0.0 4.9 21948 5416 ? Ss 02:07 0:00 kppp -icon kppp.p root 4268 0.0 0.6 2364 708 ttyS0 Ss+ 02:09 0:00 pppd 57600 -detac colin 4297 0.0 0.6 2360 720 ? S 02:09 0:00 /bin/sh /home/col colin 4310 0.0 0.8 2908 960 ? S 02:09 0:00 /bin/sh /home/col colin 4315 3.4 20.5 89192 22432 ? Sl 02:09 0:12 /home/colin/firef colin 4336 1.9 27.5 129660 29968 ? Sl 02:09 0:06 kaffeine colin 4525 1.9 12.2 26828 13320 ? S 02:14 0:00 kdeinit: konsole colin 4529 0.0 1.6 3056 1808 pts/1 Ss 02:14 0:00 /bin/bash root 4564 0.0 0.9 2340 1052 pts/1 S 02:14 0:00 su root 4570 0.1 1.4 2544 1548 pts/1 S 02:15 0:00 bash root 4623 0.0 0.6 2248 736 pts/1 R+ 02:15 0:00 ps aux idud: Therima Kasih! Looks like your suggestion is very wise to follow, but do I need xinetd for anything else? What would I lose by turning it off altogether? ibodo eh? :) Michael: That sounds a good suggestion too. But I'll proceed one step at a time, and reboot between switching things off. DragonMage: That is highly likely. I'm in S.E. Asia on dialup, and the national ISP is dodgy by default. I do get different IPs assigned at various times. I've never tried Telnet, it's a closed book to me. But I can seee the point you are making. Colin Edited April 25, 2005 by ColinM Quote Link to comment Share on other sites More sharing options...
ColinM Posted April 25, 2005 Author Report Share Posted April 25, 2005 (edited) idud: I just had a look in my xinetd.d folder using Nautilus and could not see any file called: /etc/xinetd.d/telnet It only has two files: fam and rsync and neither mentions telnet inside. I looked both with xinetd started, and then stopped via the MCC. Is it a hidden file in Nautilus? I'm using Mdk 10.1 OE Colin Edited April 25, 2005 by ColinM Quote Link to comment Share on other sites More sharing options...
devries Posted April 26, 2005 Report Share Posted April 26, 2005 Nothing strange. :) PS: I noticed you don't run ntp (to keep the clock ontime) Why not? It's ofcourse best to be cautious with running unneccsary services but things like ntp are there to be used. Quote Link to comment Share on other sites More sharing options...
idud Posted April 26, 2005 Report Share Posted April 26, 2005 /etc/xinetd.d/telnet is a normal file, and it comes from package telnetd. So if the file doesn't exist, it means that you don't have any telnet-run-from-xinetd service running on port 23. (I feel strange now) How about the output from this command: $ nmap -P0 localhost Quote Link to comment Share on other sites More sharing options...
ColinM Posted April 26, 2005 Author Report Share Posted April 26, 2005 /etc/xinetd.d/telnet is a normal file, and it comes from package telnetd. So if the file doesn't exist, it means that you don't have any telnet-run-from-xinetd service running on port 23. (I feel strange now) How about the output from this command: $ nmap -P0 localhost <{POST_SNAPBACK}> I looked for any files named telnet* using the find facility and drew a blank. So I don't appear to have any telnet files on my installation. Perhaps Telnet has been dropped from Mdk. 10.1 oe. From what I read it should be extinct anyway, or reserved for those bods who still use newsgroups... Anyway, I tried again today at 'Shields Up' and got the all clear on Win OS and Mdk OS. I also tried the hackerwatch.org/probe and passed that too. (Telnet port closed) Port 80 http was open, which I think has to be open if you want to surf the web. Here's the result of running the command you suggested: [root@localhost colin]# $ nmap -P0 localhost bash: $: command not found [root@localhost colin]# nmap -P0 localhost Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2005-04-27 02:56 BST Interesting ports on localhost (127.0.0.1): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 0.970 seconds [root@localhost colin]# What does that tell you? I checked 127.0.0.1 it is iana.org I appreciate your help. Colin PS. Devries; I'll get that ntp clock synchronized! I wondered why I had to manually reset it so often... Quote Link to comment Share on other sites More sharing options...
idud Posted April 27, 2005 Report Share Posted April 27, 2005 Hmm, there's nothing to worry, I think. Port 23 is closed. Btw, 127.0.0.1 is your loopback interface. There's an interesting story about this IP number in this forum, search for ``Terrible IRC Hacker''. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.