IOS 12.3(x) Strange service ports open on router

Petri Helenius pete at he.iki.fi
Fri Apr 9 19:20:23 UTC 2004


Robert Blayzor wrote:

>
> I'm wondering if anyone that recently upgraded to IOS 12.3 on any 
> access servers have run into this problem...
>
Put "transport input none" to your tty lines.

Pete

> We recently upgraded our AS5x00 access servers to the 12.3(x) main 
> line.  Upon doing so we started seeing some very strange RADIUS 
> accounting
> records coming from IP addresses all over the Internet.  Normally these
> boxes are ACL'd but upon scanning an IP address that the routers listen
> on nmap shows a slew of open TCP service ports which accept 
> connections.  Upon connecting to one of the ports we're prompted for 
> username and password just as if we connected to the VTY management 
> lines.  If we try to log in, it queries the RADIUS server.
>
> The question is why suddenly are the routers answering on tons of 
> ports, is there a way to turn these service ports off?  Normally these 
> routers only listen on port 22/23 and 514 at best.
>
> Upon nmapping the access servers now, we see something like the below.
> (TAC suggested an access-list; I know we can apply an access-list to
> block all this, but then that means we have to put ingress access-lists
> on every interface, including connected modem users, etc.)
>
> 2001/tcp   open        dc
> 2003/tcp   open        cfingerd
> 2005/tcp   open        deslogin
> 2007/tcp   open        dectalk
> 2008/tcp   open        conf
> 2009/tcp   open        news
> 2011/tcp   open        raid-cc
> 2012/tcp   open        ttyinfo
> 2013/tcp   open        raid-am
> 2014/tcp   open        troff
> 2015/tcp   open        cypress
> 2016/tcp   open        bootserver
> 2019/tcp   open        whosockami
> 2021/tcp   open        servexec
> 2022/tcp   open        down
> 2023/tcp   open        xinuexpansion3
> 2025/tcp   open        ellpack
> 2026/tcp   open        scrabble
> 2027/tcp   open        shadowserver
> 2028/tcp   open        submitserver
> 2030/tcp   open        device2
> 2034/tcp   open        scoremgr
> 2035/tcp   open        imsldoc
> 2041/tcp   open        interbase
> 2042/tcp   open        isis
> 2043/tcp   open        isis-bcast
> 2044/tcp   open        rimsl
> 2045/tcp   open        cdfunc
> 2046/tcp   open        sdfunc
> 2049/tcp   open        nfs
> 2064/tcp   open        dnet-keyproxy
> 2067/tcp   open        dlswpn
> 2105/tcp   open        eklogin
> 2106/tcp   open        ekshell
> 2108/tcp   open        rkinit
> 2112/tcp   open        kip
> 4008/tcp   open        netcheque
> 4045/tcp   open        lockd
> 4133/tcp   open        nuts_bootp
> 6001/tcp   open        X11:1
> 6003/tcp   open        X11:3
> 6005/tcp   open        X11:5
> 6007/tcp   open        X11:7
> 6008/tcp   open        X11:8
> 6009/tcp   open        X11:9
> 6101/tcp   open        VeritasBackupExec
> 6103/tcp   open        RETS-or-BackupExec
> 6105/tcp   open        isdninfo
> 6106/tcp   open        isdninfo
> 6110/tcp   open        softcm
> 6112/tcp   open        dtspc
> 6142/tcp   open        aspentec-lm
> 6143/tcp   open        watershed-lm
> 6145/tcp   open        statsci2-lm
> 6146/tcp   open        lonewolf-lm
> 6147/tcp   open        montage-lm
> 6148/tcp   open        ricardo-lm
> 9090/tcp   open        zeus-admin
> 9100/tcp   open        jetdirect
> 9152/tcp   open        ms-sql2000
>
>




More information about the NANOG mailing list