[69382] in North American Network Operators' Group
IOS 12.3(x) Strange service ports open on router
daemon@ATHENA.MIT.EDU (Robert Blayzor)
Fri Apr 9 14:54:01 2004
Date: Fri, 09 Apr 2004 14:53:16 -0400
From: Robert Blayzor <rblayzor@inoc.net>
To: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
I'm wondering if anyone that recently upgraded to IOS 12.3 on any access
servers have run into this problem...
We recently upgraded our AS5x00 access servers to the 12.3(x) main line.
Upon doing so we started seeing some very strange RADIUS accounting
records coming from IP addresses all over the Internet. Normally these
boxes are ACL'd but upon scanning an IP address that the routers listen
on nmap shows a slew of open TCP service ports which accept connections.
Upon connecting to one of the ports we're prompted for username and
password just as if we connected to the VTY management lines. If we try
to log in, it queries the RADIUS server.
The question is why suddenly are the routers answering on tons of ports,
is there a way to turn these service ports off? Normally these routers
only listen on port 22/23 and 514 at best.
Upon nmapping the access servers now, we see something like the below.
(TAC suggested an access-list; I know we can apply an access-list to
block all this, but then that means we have to put ingress access-lists
on every interface, including connected modem users, etc.)
2001/tcp open dc
2003/tcp open cfingerd
2005/tcp open deslogin
2007/tcp open dectalk
2008/tcp open conf
2009/tcp open news
2011/tcp open raid-cc
2012/tcp open ttyinfo
2013/tcp open raid-am
2014/tcp open troff
2015/tcp open cypress
2016/tcp open bootserver
2019/tcp open whosockami
2021/tcp open servexec
2022/tcp open down
2023/tcp open xinuexpansion3
2025/tcp open ellpack
2026/tcp open scrabble
2027/tcp open shadowserver
2028/tcp open submitserver
2030/tcp open device2
2034/tcp open scoremgr
2035/tcp open imsldoc
2041/tcp open interbase
2042/tcp open isis
2043/tcp open isis-bcast
2044/tcp open rimsl
2045/tcp open cdfunc
2046/tcp open sdfunc
2049/tcp open nfs
2064/tcp open dnet-keyproxy
2067/tcp open dlswpn
2105/tcp open eklogin
2106/tcp open ekshell
2108/tcp open rkinit
2112/tcp open kip
4008/tcp open netcheque
4045/tcp open lockd
4133/tcp open nuts_bootp
6001/tcp open X11:1
6003/tcp open X11:3
6005/tcp open X11:5
6007/tcp open X11:7
6008/tcp open X11:8
6009/tcp open X11:9
6101/tcp open VeritasBackupExec
6103/tcp open RETS-or-BackupExec
6105/tcp open isdninfo
6106/tcp open isdninfo
6110/tcp open softcm
6112/tcp open dtspc
6142/tcp open aspentec-lm
6143/tcp open watershed-lm
6145/tcp open statsci2-lm
6146/tcp open lonewolf-lm
6147/tcp open montage-lm
6148/tcp open ricardo-lm
9090/tcp open zeus-admin
9100/tcp open jetdirect
9152/tcp open ms-sql2000
--
Robert Blayzor, BOFH
INOC, LLC
rblayzor@inoc.net
PGP: http://www.inoc.net/~dev/
Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0
Years of development: We finally got one to work.