[69383] in North American Network Operators' Group
Re: IOS 12.3(x) Strange service ports open on router
daemon@ATHENA.MIT.EDU (Petri Helenius)
Fri Apr 9 15:21:12 2004
Date: Fri, 09 Apr 2004 22:20:23 +0300
From: Petri Helenius <pete@he.iki.fi>
To: Robert Blayzor <rblayzor@inoc.net>
Cc: nanog@merit.edu
In-Reply-To: <4076F11C.1070506@inoc.net>
Errors-To: owner-nanog-outgoing@merit.edu
Robert Blayzor wrote:
>
> I'm wondering if anyone that recently upgraded to IOS 12.3 on any
> access servers have run into this problem...
>
Put "transport input none" to your tty lines.
Pete
> We recently upgraded our AS5x00 access servers to the 12.3(x) main
> line. Upon doing so we started seeing some very strange RADIUS
> accounting
> records coming from IP addresses all over the Internet. Normally these
> boxes are ACL'd but upon scanning an IP address that the routers listen
> on nmap shows a slew of open TCP service ports which accept
> connections. Upon connecting to one of the ports we're prompted for
> username and password just as if we connected to the VTY management
> lines. If we try to log in, it queries the RADIUS server.
>
> The question is why suddenly are the routers answering on tons of
> ports, is there a way to turn these service ports off? Normally these
> routers only listen on port 22/23 and 514 at best.
>
> Upon nmapping the access servers now, we see something like the below.
> (TAC suggested an access-list; I know we can apply an access-list to
> block all this, but then that means we have to put ingress access-lists
> on every interface, including connected modem users, etc.)
>
> 2001/tcp open dc
> 2003/tcp open cfingerd
> 2005/tcp open deslogin
> 2007/tcp open dectalk
> 2008/tcp open conf
> 2009/tcp open news
> 2011/tcp open raid-cc
> 2012/tcp open ttyinfo
> 2013/tcp open raid-am
> 2014/tcp open troff
> 2015/tcp open cypress
> 2016/tcp open bootserver
> 2019/tcp open whosockami
> 2021/tcp open servexec
> 2022/tcp open down
> 2023/tcp open xinuexpansion3
> 2025/tcp open ellpack
> 2026/tcp open scrabble
> 2027/tcp open shadowserver
> 2028/tcp open submitserver
> 2030/tcp open device2
> 2034/tcp open scoremgr
> 2035/tcp open imsldoc
> 2041/tcp open interbase
> 2042/tcp open isis
> 2043/tcp open isis-bcast
> 2044/tcp open rimsl
> 2045/tcp open cdfunc
> 2046/tcp open sdfunc
> 2049/tcp open nfs
> 2064/tcp open dnet-keyproxy
> 2067/tcp open dlswpn
> 2105/tcp open eklogin
> 2106/tcp open ekshell
> 2108/tcp open rkinit
> 2112/tcp open kip
> 4008/tcp open netcheque
> 4045/tcp open lockd
> 4133/tcp open nuts_bootp
> 6001/tcp open X11:1
> 6003/tcp open X11:3
> 6005/tcp open X11:5
> 6007/tcp open X11:7
> 6008/tcp open X11:8
> 6009/tcp open X11:9
> 6101/tcp open VeritasBackupExec
> 6103/tcp open RETS-or-BackupExec
> 6105/tcp open isdninfo
> 6106/tcp open isdninfo
> 6110/tcp open softcm
> 6112/tcp open dtspc
> 6142/tcp open aspentec-lm
> 6143/tcp open watershed-lm
> 6145/tcp open statsci2-lm
> 6146/tcp open lonewolf-lm
> 6147/tcp open montage-lm
> 6148/tcp open ricardo-lm
> 9090/tcp open zeus-admin
> 9100/tcp open jetdirect
> 9152/tcp open ms-sql2000
>
>