[ubuntu-uk] Port 2000 on Ubuntu

Seif Attar iam at seifattar.net
Thu May 1 12:18:19 BST 2008


On Thu, 2008-05-01 at 12:02 +0100, Tony Arnold wrote:
> Seif,
> 
> Seif Attar wrote:
> 
> > I installed nessus on one ubuntu machine, and set the target to another
> > ubuntu machine on the lan, after it finished, the report had a lot of
> > warning and  threats, but I assume they are ok, as they are services i
> > know, and that i want running, one thing worried is a service running on
> > port 2000, nessus said it's sometimes used by trojan horses, my first
> > test was to access the server on that port with a web browser (epiphany)
> > the reponse was a file download "eX87YDOb.exe.part", which got me really
> > worried now! running "sudo netstat -n -tap | grep 2000" returns 
> > tcp        0      0 0.0.0.0:2000            0.0.0.0:*
> > LISTEN      6096/inetd
> > 
> > so if it's inetd, where does that file download come from?? should i be
> > worried? any links on what to do when you think your machine is
> > compromised?
> 
> Have a look in /etc/services to see what service port 2000 is known by.
> On my system, it says 'Seive mail filter daemon'. Also look in
> /etc/inetd.conf to see what inetd is listening for and what it invokes
> when a connection is received on port 2000.
> 

the relevant line in /etc/inetd.conf is:

2000 nobody /usr/sbin/tcpd /usr/sbin/nbdrootd /opt/ltsp/images/amd64.img

just googled what nndrootd does, and i guess mythtv installed it? or
it's used by it.

if i open the address host:2000 in a browser on a remote machine, i get
an exe.part file, if i do it localy, iget a bin.part file, i ran strings
on the files hoping to find something useful, all it had was NBDMAGIC,
why is inetd and ltsp returning these files? is this normal behaviour? 




More information about the ubuntu-uk mailing list