David Baron (d_ba...@012.net.il on 2011-12-27 12:12 +0200):
> Warning: Network TCP port 13000 is being used by /sbin/rpc.statd.
> Possible rootkit: Possible Universal Rootkit (URK) SSH server
> Use the 'lsof -i' or 'netstat -an' command to check this.
>
> rpc.statd is started by nfs-common.
>
> False alarm? Bug? Serous trouble?
If you have installed rpc.statd and have it running, it could be a
false alarm. Have you tried profiling the port (with an ssh client or
nmap)?
You can ask rpcinfo for confirmation:
$ rpcinfo -p
program vers proto port
[..]
100024 1 udp 20492 status
100024 1 tcp 20492 status
# lsof -i |grep stat
rpc.statd 15685 statd 5u IPv4 46309 0t0 UDP *:1021
rpc.statd 15685 statd 7u IPv4 46318 0t0 UDP *:20492
rpc.statd 15685 statd 8u IPv4 46321 0t0 TCP *:20492 (LISTEN)
By default, rpc.statd uses a random port number. If you restart
nfs-common, chances are that it will pick a different port number. You
can force a different (static) port by editing /etc/default/nfs-common.
Regards,
Arno
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20111227202333.5fe6f...@neminis.intra.loos.site
