[Courses] [Security] The useful netstat

Thu Mar 7 18:39:28 EST 2002

On Thursday 07 March 2002 05:33 pm, Raven, corporate courtesan wrote:

Raven's already seen this box, so I was curious as to what my netstat looked 
like in comparrison to everyone else's. Here goes:

netstat -ap
Active Internet connections (servers and established)
Proto Recv Send Local     Foreign  State    PID/Program name
tcp     0           0     *:mysql      *:*    LISTEN  1322/mysqld
tcp     0           0     *:pop3       *:*     LISTEN  14491/tcpserver
tcp     0           0     *:www-http  *:*  LISTEN  32637/httpd
tcp     0           0     *:http-alt      *:*  LISTEN      30929/httpd
tcp     0           0     *:ftp             *:*   LISTEN      25773/pure-ftpd (SE
tcp     0           0     *:ssh            *:*   LISTEN      9062/sshd
tcp     0           0     *:smtp         *:*   LISTEN      21206/tcpserver
tcp     0           0     *:6010         *:*   LISTEN      26915/sshd
tcp     0      0 nephilim.otherkin.n:ssh arlinn.otherkin.n:32814 ESTABLISHED 
26915/sshd
tcp     0      0 nephilim.other:www-http melanie1.library.:50357 ESTABLISHED 
32649/httpd
udp     0          0      *:router       *:*                    921/routed
udp        0       0 nephilim.otherki:domain *:* 29487/tinydns

That looks pretty obvious, except for the http-alt. Anyone know what that's 
there for? 
ftp is chrooted and using parallel virtual accounts (ie. the usernames are 
the same, but the passwords are different from /etc/password).
pop accounts are the same (which means login passwords do not go over the net 
in plaintext).
mysql is used by the mailing list server.

currently everything except pop, smtp, dns, ftp and http are blocked from the 
outside world by the firewall.

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    
Path
unix  2      [ ACC ]     STREAM     LISTENING     3085   1322/mysqld         
/var/lib/mysql/mysql.sock
unix  9      [ ]         DGRAM                    17539673 9665/syslogd       
 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     36875317 32644/fcgi-        
 /tmp/fcgi/c04d00a7c42c7c78a575c0c4b440bf08
unix  3      [ ]         STREAM     CONNECTED     36875355 1322/mysqld        
 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     36875354 32646/perl
unix  2      [ ]         DGRAM                    36875351 32646/perl
unix  3      [ ]         STREAM     CONNECTED     36792775 1322/mysqld        
 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     36792774 29348/perl
unix  2      [ ]         STREAM     CONNECTED     36198803 29384/perl
unix  2      [ ]         STREAM     CONNECTED     33042152 29420/perl
unix  2      [ ]         DGRAM                    32072617 21213/splogger
unix  2      [ ]         DGRAM                    30378854 1454/login -- root
unix  2      [ ]         DGRAM                    26418626 29420/perl
unix  2      [ ]         DGRAM                    26418536 29384/perl
unix  2      [ ]         DGRAM                    26418445 29348/perl
unix  2      [ ]         DGRAM                    17539684 9673/klogd
unix  2      [ ]         DGRAM                    17244767 25773/pure-ftpd (SE
unix  2      [ ]         DGRAM                    4045   921/routed
unix  2      [ ]         DGRAM                    3238   1437/crond
unix  2      [ ]         STREAM     CONNECTED     2102   1/init [3]

There seem to be a lot of perl instances there, not sure why (except that the 
fcgi script is perl). The 'login' is an "su". You can't log in as root except 
from the console (and there's no one sitting under my desk, so that's clear 
:))

-- 
October 
And kingdoms rise 
And kingdoms fall 
But you go on...and on... 
- 'October' U2

<<------------------------------------------------------------------>>
<<  This email is monitored by the US government under the auspice  >>
<< of the USA act. For private communication, ask me for my PGP key >>