NetWorker does scan networks, but I've never figured out for what (because I've
never looked). Download Ethereal from www.ethereal.com and use that to check
what traffic is going through. Snooping the NICs from Solaris when no backups
are running will let you know what scanning traffic is going out, though I'd
recommend you try to do this from the console to avoid any other network
traffic while doing this. Otherwise, depending on the system at the other end,
it may be simplest to trace packets coming from the NetWorker server from this
side (Winpcap comes with Ethereal which will do packet capture on a Windows
box, snoop on Solaris, iptrace on AIX etc.). Use Ethereal to look at the
resulting logfile afterwards and watch what traffic is going back and forth
inside these packets.
>From what I remember, these were UDP rather than TCP packets. Might be best
>to scan just for these. The man pages will give you more info on how to do
>this.
Cheers,
Stuart.
________________________________
From: EMC NetWorker discussion on behalf of Stan Horwitz
Sent: Fri 17-Nov-06 05:28
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] Strange portmap situation
This question pertains to the NetWorker 7.2.1 server that I run on
Sun Solaris 9.
One of my colleagues informed me that one of his systems is receiving
connection attempts from both IP addresses (dual network cards) from
my NetWorker server, yet this particular system is not a NetWorker
client.
His log shows activity such as
Nov 16 17:59:40 temp1 portmap[7393]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7394]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7395]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7396]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7397]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7398]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7399]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7400]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Both this workstation and the NetWorker server are on the same subnet.
From what I can gather, it looks like NetWorker is port scanning to
look for the usual NetWorker client RPC ports.
But why is my NetWorker server scanning this particular system at
all, and why is it looking at ports that NetWorker
does not use, or is it?
How do I stop this scanning from happening?
I tried to research this info via google and EMC's web site, but all
I could find was on Google and that told me
there might be a security issue, but I suspect what is actually
happening is the result of some misconfiguration,
but finding the cause of this problem eludes me. Otherwise, this
NetWorker server is working quite well.
If anyone has any suggestions on how I can troubleshoot this, please
let me know.
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
To sign off this list, send email to listserv AT listserv.temple DOT edu and
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu
if you have any problems
wit this list. You can access the archives at
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER
|