Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : !!LSM Alert!! / !!PMON Alert!! (port / socket monitor)

[besthost00]

I have the following problem on one of my servers. I keep receiving lsm alerts for different ports. Like this:

This is an automated alert generated from . This alert is to
notify the addressed users of new server sockets. New server sockets can
indicate server-software that has been started on your host, or otherwise
be an indication to malicious activity. It is advised to review this alert
and investigate if needed.

Following is a summary of new Internet Server Sockets:
> tcp 0 0 server.ip:46917 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46918 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46921 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46922 0.0.0.0:* LISTEN -

Following is a summary of a new Unix Domain Sockets:
no changes to Unix Domain Sockets

more:

> tcp 0 0 server.ip:42799 0.0.0.0:* LISTEN 2964/italy006.jpg

another:

> tcp 0 0 server.ip:33363 0.0.0.0:* LISTEN 2501/ny036.jpg


How can jpegs open ports?

Are these false alarms? Thank you!!

[dotSecurity]

Hmmm, could have something to do with the new JPEG bug:

http://www.security-talk.com/about7.html

[Lem0nHead]

some people may save compiled/interpreted files as .jpg, chmod them 755 and execute (on shell)
or add handler for them with .htaccess and execute via web

it will work

try opening this file with a text editor
if it just show weird chars, it may be a compiled program... try opening with an image viewer... if you don't get to, it probably is

BTW: your firewall should block ALL ports, EXCEPT the ones that are really used by some program

[Dacsoft]

Quote:

Originally posted by besthost00
Following is a summary of new Internet Server Sockets:
> tcp 0 0 server.ip:46917 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46918 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46921 0.0.0.0:* LISTEN -
> tcp 0 0 server.ip:46922 0.0.0.0:* LISTEN -

Did you ever find what the cause of this is? The link above is for a windows server. What about Linux?

thanks in advance.

[linux-tech]

The first thing I do when I get an LSM monitor is CHECK the port of the server that is being reported. Occasionally it's a false report, but not usually.
to check:
ssh into the server
telnet to the port (found after ip
If you get no response, then usually(usually) it's a false alarm.
Why is this caused?
HTTP and some other utilities utilize random ports for security. I know pure_ftpd does this for a fact, and I have seen these alerts generated from http as well.
Is this cause for alarm?
If there is no response from the server, then I'd say no, there isn't.
There's another thing you can do.
take this for example

Quote:

Following is a summary of new Internet Server Sockets:
> tcp 0 0 insertiphere:53 0.0.0.0:* LISTEN 12947/named

You can go to the process number (found just before the binary). In this case it would be /proc/12947 and verify that this is indeed a real process and should be running. By looking at the output in there (ls -la * ) you can get everything you (don't) want to know about the process.

[Dacsoft]

Thanks for the reply. I just recently switched to pure-ftpd, so maybe that is the cause. The ports are closed at the firewall (both in and out).

thanks again,

[Lem0nHead]

i use proftpd and get those messages too

as far as I investigated, it's opened by passive FTP, or something like that

[Dacsoft]

Quote:

Originally posted by Lem0nHead
i use proftpd and get those messages too

as far as I investigated, it's opened by passive FTP, or something like that

Again, this fits. When I went to pure-ftpd, I also enabled passive FTP.

[Snowman30]

Ive just started getting the same warnings on one of our servers, we use pure-ftpd but have it on the ignore list so im not sure whats goign on...

anyone have any suggestions on how to track this one down as the warnings are annoying