i use centos 7.6 as a desktop.
i run nmap scan on my desktop and the results are:
sudo nmap -sT -sV 10.0.1.111
111/tcp open rpcbind 2-4 (RPC #100000)
6000/tcp open X11 (access denied)
i use netstat to see what program used these ports
sudo netstat -vatnp
results :
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 4962/X
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 6105/master
tcp 0 0 10.0.1.111:33324 xxx.xx7.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 32 0 10.0.1.111:50206 xxx.xxx.xxx.xxx:443 CLOSE_WAIT 6770/gnome-software
tcp 0 0 10.0.1.111:39834 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:44798 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:59502 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp 0 0 10.0.1.111:53520 xxx.xxx.xxx:443 ESTABLISHED 7117/chrome
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::6000 :::* LISTEN 4962/X
tcp6 0 0 ::1:25 :::* LISTEN 6105/master
i am using centos to only run Chrome. that's it. nothing else and i didnt not run any other program, or install.
my system been compromise ?
- my firewall zone is on Public and i blocked ssh.
$ sudo netstat -le --inet||less
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN root 34040
tcp 0 0 0.0.0.0:x11 0.0.0.0:* LISTEN root 31144
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN root 39930
udp 0 0 0.0.0.0:bootpc 0.0.0.0:* root 913655
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:* root 34041
udp 0 0 0.0.0.0:webster 0.0.0.0:* root 1093798
udp 0 0 0.0.0.0:mdns 0.0.0.0:* xxxx 912274
udp 0 0 0.0.0.0:mdns 0.0.0.0:* xxxx 912272
udp 0 0 0.0.0.0:mdns 0.0.0.0:* avahi 27431
udp 0 0 0.0.0.0:55607 0.0.0.0:* avahi 27432
$ systemctl list-unit-files --state=enabled
UNIT FILE STATE
abrt-ccpp.service enabled
abrt-oops.service enabled
abrt-vmcore.service enabled
abrt-xorg.service enabled
abrtd.service enabled
accounts-daemon.service enabled
atd.service enabled
auditd.service enabled
autovt@.service enabled
avahi-daemon.service enabled
crond.service enabled
dbus-org.fedoraproject.FirewallD1.service enabled
dbus-org.freedesktop.Avahi.service enabled
dbus-org.freedesktop.NetworkManager.service enabled
dbus-org.freedesktop.nm-dispatcher.service enabled
display-manager.service enabled
dmraid-activation.service enabled
firewalld.service enabled
gdm.service enabled
getty@.service enabled
initial-setup-reconfiguration.service enabled
irqbalance.service enabled
kdump.service enabled
ksm.service enabled
ksmtuned.service enabled
libstoragemgmt.service enabled
lvm2-monitor.service enabled
mdmonitor.service enabled
microcode.service enabled
multipathd.service enabled
NetworkManager-dispatcher.service enabled
NetworkManager-wait-online.service enabled
NetworkManager.service enabled
postfix.service enabled
qemu-guest-agent.service enabled
rhel-autorelabel.service enabled
rhel-configure.service enabled
rhel-dmesg.service enabled
rhel-domainname.service enabled
rhel-import-state.service enabled
rhel-loadmodules.service enabled
rhel-readonly.service enabled
rngd.service enabled
rsyslog.service enabled
rtkit-daemon.service enabled
smartd.service enabled
sysstat.service enabled
systemd-readahead-collect.service enabled
systemd-readahead-drop.service enabled
systemd-readahead-replay.service enabled
tuned.service enabled
udisks2.service enabled
$ rpcinfo -p 10.0.1.111
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
rpcbind,X11 ports are open
Re: rpcbind,X11 ports are open
Short answer: probably not.my system been compromise ?
Long(er) answer:
You have several listeners - things listening for network based connections. TCP/111 is rpcbind - usually used for NFS threse days. You also have X listening for connections - I guess some people don't realise that UNIX/Linux X11 programs can be used over the network - i.e.: you can connect to the GUI from a remote machine over the network. It does work (there are many problems with it though). As it's a 1980s designed thing, X over the network should probably be considered insecure and should not be used (although I've been known to use it over SSH).
You also have (probably) postfix listening for SMTP connections.
Your established connections are:
Multiple chrome connections (I guess what you are using) and multiple connections is not unusual.
gnome-software has at some point connected to xxx.xxx.xxx.xxx - you don't list the details, but gnome does reach out over the internet and yes it blows and (AFAIK) you can't really switch it off within gnome.
No you are not. Chrome requires the GUI (at the very least) and the GUI requires other things and so on. You are very rarely not running just one program.i am using centos to only run Chrome. that's it
Re: rpcbind,X11 ports are open
Where are you running nmap? If it's on the same machine then the results are invalid as the kernel internally redirects requests sent to the ip address assigned to local interfaces to 127.0.0.1. This means you hit the firewall rule that lets any connection on localhost through.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: rpcbind,X11 ports are open
i run nmap in the same machine i scan the ports. my desktop.
but it normal when x11 has open ports,
it seems run by path :
/tmp/.X11-unix/X0
@/tmp/.X11-unix/X0
any centos desktop users has it ?
i disable rpcbind via systemctl disable no longer i have open port on 111.
but it normal when x11 has open ports,
it seems run by path :
/tmp/.X11-unix/X0
@/tmp/.X11-unix/X0
any centos desktop users has it ?
i disable rpcbind via systemctl disable no longer i have open port on 111.
Re: rpcbind,X11 ports are open
As I said, that's pretty pointless. You're just making a list of the things that are listening on your machine. It doesn't take account of firewall settings or anything.i run nmap in the same machine i scan the ports. my desktop.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke