Re: IOS 12.3(x) Strange service ports open on router

North American Network Operators Group

Re: IOS 12.3(x) Strange service ports open on router

From: Petri Helenius
Date: Fri Apr 09 15:23:06 2004

Robert Blayzor wrote:

I'm wondering if anyone that recently upgraded to IOS 12.3 on any access servers have run into this problem...

Put "transport input none" to your tty lines.

Pete

We recently upgraded our AS5x00 access servers to the 12.3(x) main line. Upon doing so we started seeing some very strange RADIUS accounting
records coming from IP addresses all over the Internet. Normally these
boxes are ACL'd but upon scanning an IP address that the routers listen
on nmap shows a slew of open TCP service ports which accept connections. Upon connecting to one of the ports we're prompted for username and password just as if we connected to the VTY management lines. If we try to log in, it queries the RADIUS server.

The question is why suddenly are the routers answering on tons of ports, is there a way to turn these service ports off? Normally these routers only listen on port 22/23 and 514 at best.

Upon nmapping the access servers now, we see something like the below.
(TAC suggested an access-list; I know we can apply an access-list to
block all this, but then that means we have to put ingress access-lists
on every interface, including connected modem users, etc.)

2001/tcp open dc
2003/tcp open cfingerd
2005/tcp open deslogin
2007/tcp open dectalk
2008/tcp open conf
2009/tcp open news
2011/tcp open raid-cc
2012/tcp open ttyinfo
2013/tcp open raid-am
2014/tcp open troff
2015/tcp open cypress
2016/tcp open bootserver
2019/tcp open whosockami
2021/tcp open servexec
2022/tcp open down
2023/tcp open xinuexpansion3
2025/tcp open ellpack
2026/tcp open scrabble
2027/tcp open shadowserver
2028/tcp open submitserver
2030/tcp open device2
2034/tcp open scoremgr
2035/tcp open imsldoc
2041/tcp open interbase
2042/tcp open isis
2043/tcp open isis-bcast
2044/tcp open rimsl
2045/tcp open cdfunc
2046/tcp open sdfunc
2049/tcp open nfs
2064/tcp open dnet-keyproxy
2067/tcp open dlswpn
2105/tcp open eklogin
2106/tcp open ekshell
2108/tcp open rkinit
2112/tcp open kip
4008/tcp open netcheque
4045/tcp open lockd
4133/tcp open nuts_bootp
6001/tcp open X11:1
6003/tcp open X11:3
6005/tcp open X11:5
6007/tcp open X11:7
6008/tcp open X11:8
6009/tcp open X11:9
6101/tcp open VeritasBackupExec
6103/tcp open RETS-or-BackupExec
6105/tcp open isdninfo
6106/tcp open isdninfo
6110/tcp open softcm
6112/tcp open dtspc
6142/tcp open aspentec-lm
6143/tcp open watershed-lm
6145/tcp open statsci2-lm
6146/tcp open lonewolf-lm
6147/tcp open montage-lm
6148/tcp open ricardo-lm
9090/tcp open zeus-admin
9100/tcp open jetdirect
9152/tcp open ms-sql2000

Follow-Ups:
- Re: IOS 12.3(x) Strange service ports open on router Robert Blayzor

References:
- IOS 12.3(x) Strange service ports open on router Robert Blayzor

Prev by Date: IOS 12.3(x) Strange service ports open on router
Next by Date: Re: IOS 12.3(x) Strange service ports open on router
Date Index
Thread Index
Author Index
Historical