Open port "netstat -at" - suspicious port listening

[budihost]

I issued command "netstat -at at my FreeBSD 4.11 box, and this are some of it.

[b]tcp4       0      0  *.8889                 *.*                    LISTEN[/b]
tcp4       0      0  *.http                 *.*                    LISTEN
[b]tcp4       0      0  *.8090                 *.*                    LISTEN
tcp4       0      0  *.3306                 *.*                    LISTEN[/b]
tcp4       0      0  *.2222                 *.*                    LISTEN

The bolded informtion are quite suspicious to me. What service are running there?

I refed to this website, http://www.bekkoame.ne.jp/~s_ita/port/port8000-8999.html. They list down all ports and the services.

8889	tcp	ddi-tcp-2	Desktop Data TCP 1
8889	udp	ddi-udp-2sEDGE server broadcast
8889  	tcp/udp  	#  	W32.Axatak

8090  	tcp/udp  	#  	Asniffer

3306	tcp/udp	mysql	MySQL
3306  	tcp  	#  	Nemog, W32.Spybot

How can I determine these port are running what service?
And how to close those unnecessary ports?

Thanks..

 

[boonchuan]

Try installing http://www.rootkit.nl/ Rkhunter to check if there is any compromise or rootkit running. From what I see , unfortunately there may be.

 

[budihost]

rkhunter installed

ya, i have installed rootkit hunter.. but it does not found any rootkit installed..

can i just block all those port that unneeded?

 

[boonchuan]

I normally block all the ports I don't need. Better be safe than sorry

 

[nobaloney]

While you can't just use it directly on a BSD-based system, you might want to take a look at the KISS firewall implementation I've posted here.

It might give you an idea of what you need open and what you can block for most hosting needs.

Jeff

 

[flashwiregsn]

Hi,

W32.Axatak and W32.Spybot are both viruses! Axatak steals passwords and Spybot is a malicious worm. I suggest you remove that machine from the network immediately and clean it before it spreads to your clients/coworkers or others through your network or the internet. 3306 may very well be a legitimate MySQL process, but I highly suggest that you disconnect this machine and thoroughly clean it immediately, before it infects others and your ISP gets veeeery cranky. (Believe me, I've plenty of experience in the ISP technical/management field, and we really do not like infected clients and cranky netizens.

EDIT: The -p option displays the PID/Program for the socket