I did a portscan and found two strange ports, do I need to close them ??

3000/tcp open ppp
3001/tcp open nessusd

Thx.

Originally posted by Juan
I did a portscan and found two strange ports, do I need to close them ??

3000/tcp open ppp
3001/tcp open nessusd



That surely depends on what you have running on those two ports?

--
Jens Kristian Søgaard, Mermaid Consulting I/S,
jens@mermaidconsulting.dk,
http://www.mermaidconsulting.com/
http://www.raqsupport.net/

ppp
Point to Point protocol. This is used with dialups or modems.


nessusd
This is a security scanner. Where you running nessus from your machine for the port scan?? If not, do a ps -aux and look for the nessusd process. If you did not install nesuss -- find out who did and remove it.

Originally posted by huck
ppp
Point to Point protocol. This is used with dialups or modems.


nessusd
This is a security scanner. Where you running nessus from your machine for the port scan?? If not, do a ps -aux and look for the nessusd process. If you did not install nesuss -- find out who did and remove it.

Huck, it's a bit naive to just believe that it is actually those programs running on the server. Most likely it is not.

Take a look at the server and determine exactly which programs have bind to those ports ... only then you can determine if it's a backdoor or something good...

--
Jens Kristian Søgaard, Mermaid Consulting I/S,
jens@mermaidconsulting.dk,
http://www.mermaidconsulting.com/

I know that there could be trojans pretending to be other programs. But the portscan indentified the program as being ppp and nessusd. PPP runs on port 3000 by default and the nessusd default port is 3001. That's the reason I asked about if anyone had installed nessusd on the server. As for ppp, I do not know why it is on the server unless a ppp server is enabled.


Most likely it is not.

This depends on whether or not you've installed nessus or ppp! If you've installed nessus, then the open 3001 port is most likely nessusd. ;)

Take a look at the server and determine exactly which programs have bind to those ports ... only then you can determine if it's a backdoor or something good...

This is a good first step for investigating any ports that you are unsure of. Use netstat to find out which ports belong to which programs. Specifically, run

netstat -anp

This will show you (a)ll of the open ports in (n)umeric format for all (p)rotocols. You should look at the netstat man page for more options.


Now from the post above, I gather that ppp and nessusd are running on these ports. Try to locate where these files are and make sure they are installed legitimately. Simply looking at the program name does not help. Many hackers name backdoors as normal files but stick them in odd places. A trojan could easily be called httpd, telnetd or any other name. So to really find out what program is on what port, takes some time and invesitagtive skills.

Originally posted by huck
This depends on whether or not you've installed nessus or ppp! If you've installed nessus, then the open 3001 port is most likely nessusd. ;)


Well, if he _had_ installed Nessus - why would he be asking at all?

I still think that it is most likely that he has been hacked or something legitimate program (like for example an ICQ proxy, which commonly use ports in that range) is using the port (for some reason).

--
Jens Kristian Søgaard, Mermaid Consulting I/S,
jens@mermaidconsulting.dk,
http://www.mermaidconsulting.com/

Originally posted by Juan
3000/tcp open ppp
3001/tcp open nessusd


If you're
- on RaQ4
- enabled ASP server
ports 3000 & 3001 are used by the Chili!Soft ASP Server , and 5100 for the ASP Server Administraton Control Panel.

wbr,
Martin/Iplexx