Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I ran a portscan on myself and it seems I have TCP port 603 open. I've tried finding out any services running on this port by checking /etc/services and searching the web, but I can't find anything. I don't think it was open before, do you think something's wrong?
The netstat output doesn't really tell us much, but lsof -i does. First, it tells us that the port is being opened by inetd. Inetd acts as kind of like a intermediate server, where a given service is run through the inetd server. So instead of having a individual daemon listening at that port for connections, inetd will do the listening and then when that specific service is required it will pass the connection off to the specific daemon (hence the nickname "Inetd superServer"). That way you don't need to have multiple daemons listening at the same time and wasting resources.
Now, go to the /etc/inted.conf file and look for any uncommented services that either specifically list port 603 or that aren't readily apparent as to what they do.
Also are you running any kind of intrusion detection software? TCP port 603 is reserved for IDXP or Intrusion Detection Exchange protocol, which is used by various IDS applications to communicate with each other or with something like a central logging server. However, just because a certain port number is normally used by a service or protocol doesn't guarantee that's what is actually running.
It's called the File Alteration Monitor. Here is the URL. On the site:
Quote:
What is FAM?
FAM, the File Alteration Monitor, provides an API that applications can use to be notified when specific files or directories are changed.
FAM comes in two parts: fam, the daemon that listens for requests and delivers notification, and libfam, a library that client applications can use to communicate with fam.
I'm guessing some program installed it, as I had previously commented out every line in my inetd.conf. Do you have any idea of what program might have put it there?
The only things I can think of that use sgi_fam are some of the GUI file managers (like Nautilus) and NFS/RPC stuff. Normally I would say when you think something had been modified, immediately use the stat command to see if you can determine the last modification time/date. Since you've already modified it, that won't do much good now though.
SGI_FAM is a pretty common thing with most distros and is turned on by default in many of them. If you are paranoid about it, you can get an md5sum of the famd binary and compare that to a known good version.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.