On Thu, 20 Dec 2001, Carl Parrish wrote: > Is there anything like nmap on a *default* install of Redhat? I guess I > don't really need all the features of nmap. I just need to figure out if > a port is open and if its been active. Problem is I didn't set the > server up and don't know what's installed. any ideas of tools I should > look for? Or should I just install something? Is there any way to look > up past activity on a port? > > Carl P. > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > Hey Carl: As was mentioned before, netstat can help you. netstat -l or, I like to do netstat -nap the -p is helpful to tell you what process is bound to that "listening" port lsof can also be helpful (especially if somebody trojaned your netstat, but didn't think about lsof :) If you really don't trust the box, then you might want to go ahead and nmap it from another, trusted host. You might want to include the full range of ports, as nmap will default to only scanning 1-1024 and ports listed in nmap's (rather comprehensive) services file. People like to bind rogue services to all sorts of weird port numbers, usually high numbered, as non-stateful firewalls often allow connections to ephemeral ports. Also, always good to see what's in a ps axf command, and maybe what lurks in your startup scripts and cron. If you really don't trust the box, then in addition to the nmap scan, I wouldn't trust anything the running kernel told you (or told your userspace tools like ps, netstat, etc.). Rather, I'd boot from trusted media (like a rescue disk) or pull the drive and mount it in a trusted host. Then you can really be certain that what you see is what you get/have ;) But that's me, YPMV (your paranoia may vary) ;D I might also throw a sniffer on the network(s) that the host is connected to and capture all traffic for a period. Then you could see illicit icmp, udp, ecp, etc. traffic going on, in addition to the tcp stuff you scanned for with nmap. You could scan udp with nmap...but that can take a painfully long time :) UDP has no way to say "rst" on its own ;) Anyhow, if you do sniff the traffic, you probably want a snaplen of 1514 or so (1500 MTU for ethernet, plus the 14 bytes for the ethernet frame header). If it's a real busy network segment, then you might not be able to do that. In that case you could set a snaplen of 96 or something and get all the headers, and a little peak at the contents. Of course, when you see something interesting on the wire, you'll be kicking yourself for not having the whole packets. Ah, the trials and tribulations of a network voyeur ;D Good luck, Wes -- Wes Bateman, GCIA Chief Security Officer ManISec, Inc. - "Managed Internet Security Services" http://www.manisec.com wes@manisec.com