[plug] what uses port 98?

Bernard Blackham bernard at blackham.com.au
Sun Nov 19 11:35:56 WST 2000


On Sun, 19 Nov 2000, BillK wrote:
> 	what uses port 98?  My listing shows it as something called "TACS". 

Port 98 most commonly, AFAIK, is Linuxconf's web configuration tool. I'm
not sure about its security, but I personally disable it and block the
port with ipchains.

> The last few weeks ipchains has suddenly started logging and denying a
> few connection attempts on the port from different locations.  Last
> night I got curious and probing showed a RedHat 6.2 box in Canada - with
> most services showing so I presume no firewall! It seems likely its a
> valid service of some kind, though why pick on my dialup connection?

Familiar story... Sounds like somebody cracked the canada box, and then
used that as the source of further attacks to mask their own identity.
People run scripts to scour and scan the internet for vulnerable boxes to
drop into, and a vulnerable port 98 would probably be hackers' delight.

Being absolutely security paranoid, you should disable Linuxconf's web
access (in the menus somewhere...) and block the port with ipchains, which
you seem to have done, so all is good. Going offtrack, it could be worth
doing a port scan on your internet IP (with nmap) and see what's open that
doesn't need to be.

My question... What tools are available to detect stealth SYN
scans? eg, to find SYN's without matching ACK's? I've seen tools that
simply log all TCP packets, and it would be decipherable out of them, but
is there any way to filter out stealth scans or similar?


Bernard.

--
 Bernard Blackham
 bernard at blackham.com.au




More information about the plug mailing list