rpcbind,X11 ports are open

General support questions
Post Reply
czvcv
Posts: 5
Joined: 2018/11/24 10:50:49

rpcbind,X11 ports are open

Post by czvcv » 2018/12/07 19:17:51

i use centos 7.6 as a desktop.
i run nmap scan on my desktop and the results are:
sudo nmap -sT -sV 10.0.1.111

111/tcp open rpcbind 2-4 (RPC #100000)
6000/tcp open X11 (access denied)

i use netstat to see what program used these ports
sudo netstat -vatnp
results :

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 4962/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6105/master
tcp 0 0 10.0.1.111:33324 xxx.xx7.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 32 0 10.0.1.111:50206 xxx.xxx.xxx.xxx:443 CLOSE_WAIT 6770/gnome-software
tcp 0 0 10.0.1.111:39834 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:44798 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:59502 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:53520 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::6000 :::* LISTEN 4962/X
tcp6 0 0 ::1:25 :::* LISTEN 6105/master


i am using centos to only run Chrome. that's it. nothing else and i didnt not run any other program, or install.

my system been compromise ?

- my firewall zone is on Public and i blocked ssh.

$ sudo netstat -le --inet||less

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN root 34040
tcp 0 0 0.0.0.0:x11 0.0.0.0:* LISTEN root 31144
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN root 39930
udp 0 0 0.0.0.0:bootpc 0.0.0.0:* root 913655
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* root 34041
udp 0 0 0.0.0.0:webster 0.0.0.0:* root 1093798
udp 0 0 0.0.0.0:mdns 0.0.0.0:* xxxx 912274
udp 0 0 0.0.0.0:mdns 0.0.0.0:* xxxx 912272
udp 0 0 0.0.0.0:mdns 0.0.0.0:* avahi 27431
udp 0 0 0.0.0.0:55607 0.0.0.0:* avahi 27432

$ systemctl list-unit-files --state=enabled
UNIT FILE STATE
abrt-ccpp.service enabled
abrt-oops.service enabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
atd.service enabled
auditd.service enabled
autovt@.service enabled
avahi-daemon.service enabled
crond.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
display-manager.service enabled
dmraid-activation.service enabled
firewalld.service enabled
gdm.service enabled
getty@.service enabled
initial-setup-reconfiguration.service enabled
irqbalance.service enabled
kdump.service enabled
ksm.service enabled
ksmtuned.service enabled
libstoragemgmt.service enabled
lvm2-monitor.service enabled
mdmonitor.service enabled
microcode.service enabled
multipathd.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
postfix.service enabled
qemu-guest-agent.service enabled
rhel-autorelabel.service enabled
rhel-configure.service enabled
rhel-dmesg.service enabled
rhel-domainname.service enabled
rhel-import-state.service enabled
rhel-loadmodules.service enabled
rhel-readonly.service enabled
rngd.service enabled
rsyslog.service enabled
rtkit-daemon.service enabled
smartd.service enabled
sysstat.service enabled
systemd-readahead-collect.service enabled
systemd-readahead-drop.service enabled
systemd-readahead-replay.service enabled
tuned.service enabled
udisks2.service enabled


$ rpcinfo -p 10.0.1.111
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: rpcbind,X11 ports are open

Post by aks » 2018/12/07 21:24:42

my system been compromise ?
Short answer: probably not.

Long(er) answer:
You have several listeners - things listening for network based connections. TCP/111 is rpcbind - usually used for NFS threse days. You also have X listening for connections - I guess some people don't realise that UNIX/Linux X11 programs can be used over the network - i.e.: you can connect to the GUI from a remote machine over the network. It does work (there are many problems with it though). As it's a 1980s designed thing, X over the network should probably be considered insecure and should not be used (although I've been known to use it over SSH).
You also have (probably) postfix listening for SMTP connections.

Your established connections are:
Multiple chrome connections (I guess what you are using) and multiple connections is not unusual.
gnome-software has at some point connected to xxx.xxx.xxx.xxx - you don't list the details, but gnome does reach out over the internet and yes it blows and (AFAIK) you can't really switch it off within gnome.
i am using centos to only run Chrome. that's it
No you are not. Chrome requires the GUI (at the very least) and the GUI requires other things and so on. You are very rarely not running just one program.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: rpcbind,X11 ports are open

Post by TrevorH » 2018/12/08 06:58:14

Where are you running nmap? If it's on the same machine then the results are invalid as the kernel internally redirects requests sent to the ip address assigned to local interfaces to 127.0.0.1. This means you hit the firewall rule that lets any connection on localhost through.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

czvcv
Posts: 5
Joined: 2018/11/24 10:50:49

Re: rpcbind,X11 ports are open

Post by czvcv » 2018/12/08 10:24:00

i run nmap in the same machine i scan the ports. my desktop.

but it normal when x11 has open ports,
it seems run by path :


/tmp/.X11-unix/X0
@/tmp/.X11-unix/X0


any centos desktop users has it ?

i disable rpcbind via systemctl disable no longer i have open port on 111.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: rpcbind,X11 ports are open

Post by TrevorH » 2018/12/08 14:38:29

i run nmap in the same machine i scan the ports. my desktop.
As I said, that's pretty pointless. You're just making a list of the things that are listening on your machine. It doesn't take account of firewall settings or anything.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply