IOS 12.3(x) Strange service ports open on router

• Previous message (by thread): IPv6 IGP
• Next message (by thread): IOS 12.3(x) Strange service ports open on router
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm wondering if anyone that recently upgraded to IOS 12.3 on any access 
servers have run into this problem...

We recently upgraded our AS5x00 access servers to the 12.3(x) main line. 
  Upon doing so we started seeing some very strange RADIUS accounting
records coming from IP addresses all over the Internet.  Normally these
boxes are ACL'd but upon scanning an IP address that the routers listen
on nmap shows a slew of open TCP service ports which accept connections. 
  Upon connecting to one of the ports we're prompted for username and 
password just as if we connected to the VTY management lines.  If we try 
to log in, it queries the RADIUS server.

The question is why suddenly are the routers answering on tons of ports, 
is there a way to turn these service ports off?  Normally these routers 
only listen on port 22/23 and 514 at best.

Upon nmapping the access servers now, we see something like the below.
(TAC suggested an access-list; I know we can apply an access-list to
block all this, but then that means we have to put ingress access-lists
on every interface, including connected modem users, etc.)

2001/tcp   open        dc
2003/tcp   open        cfingerd
2005/tcp   open        deslogin
2007/tcp   open        dectalk
2008/tcp   open        conf
2009/tcp   open        news
2011/tcp   open        raid-cc
2012/tcp   open        ttyinfo
2013/tcp   open        raid-am
2014/tcp   open        troff
2015/tcp   open        cypress
2016/tcp   open        bootserver
2019/tcp   open        whosockami
2021/tcp   open        servexec
2022/tcp   open        down
2023/tcp   open        xinuexpansion3
2025/tcp   open        ellpack
2026/tcp   open        scrabble
2027/tcp   open        shadowserver
2028/tcp   open        submitserver
2030/tcp   open        device2
2034/tcp   open        scoremgr
2035/tcp   open        imsldoc
2041/tcp   open        interbase
2042/tcp   open        isis
2043/tcp   open        isis-bcast
2044/tcp   open        rimsl
2045/tcp   open        cdfunc
2046/tcp   open        sdfunc
2049/tcp   open        nfs
2064/tcp   open        dnet-keyproxy
2067/tcp   open        dlswpn
2105/tcp   open        eklogin
2106/tcp   open        ekshell
2108/tcp   open        rkinit
2112/tcp   open        kip
4008/tcp   open        netcheque
4045/tcp   open        lockd
4133/tcp   open        nuts_bootp
6001/tcp   open        X11:1
6003/tcp   open        X11:3
6005/tcp   open        X11:5
6007/tcp   open        X11:7
6008/tcp   open        X11:8
6009/tcp   open        X11:9
6101/tcp   open        VeritasBackupExec
6103/tcp   open        RETS-or-BackupExec
6105/tcp   open        isdninfo
6106/tcp   open        isdninfo
6110/tcp   open        softcm
6112/tcp   open        dtspc
6142/tcp   open        aspentec-lm
6143/tcp   open        watershed-lm
6145/tcp   open        statsci2-lm
6146/tcp   open        lonewolf-lm
6147/tcp   open        montage-lm
6148/tcp   open        ricardo-lm
9090/tcp   open        zeus-admin
9100/tcp   open        jetdirect
9152/tcp   open        ms-sql2000


-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5  0E93 8D02 9D0B CB1A A7B0

Years of development: We finally got one to work.

• Previous message (by thread): IPv6 IGP
• Next message (by thread): IOS 12.3(x) Strange service ports open on router
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]