Networker

Re: [Networker] Strange portmap situation

2006-11-17 05:00:43
Subject: Re: [Networker] Strange portmap situation
From: Stuart Whitby <swhitby AT DATAPROTECTORS.CO DOT UK>
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Date: Fri, 17 Nov 2006 09:51:17 -0000
NetWorker does scan networks, but I've never figured out for what (because I've 
never looked).  Download Ethereal from www.ethereal.com and use that to check 
what traffic is going through.  Snooping the NICs from Solaris when no backups 
are running will let you know what scanning traffic is going out, though I'd 
recommend you try to do this from the console to avoid any other network 
traffic while doing this.  Otherwise, depending on the system at the other end, 
it may be simplest to trace packets coming from the NetWorker server from this 
side (Winpcap comes with Ethereal which will do packet capture on a Windows 
box, snoop on Solaris, iptrace on AIX etc.).  Use Ethereal to look at the 
resulting logfile afterwards and watch what traffic is going back and forth 
inside these packets.
 
>From what I remember, these were UDP rather than TCP packets.  Might be best 
>to scan just for these.  The man pages will give you more info on how to do 
>this.
 
Cheers,
 
Stuart.

________________________________

From: EMC NetWorker discussion on behalf of Stan Horwitz
Sent: Fri 17-Nov-06 05:28
To: NETWORKER AT LISTSERV.TEMPLE DOT EDU
Subject: [Networker] Strange portmap situation



This question pertains to the NetWorker 7.2.1 server that I run on 
Sun Solaris 9.

One of my colleagues informed me that one of his systems is receiving 
connection attempts from both IP addresses (dual network cards) from 
my NetWorker server, yet this particular system is not a NetWorker 
client.

His log shows activity such as

Nov 16 17:59:40 temp1 portmap[7393]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7394]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7395]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:40 temp1 portmap[7396]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7397]: connect from x.y.z.1  to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7398]: connect from x.y.z.2 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7399]: connect from x.y.z.1 to callit
(390109): request from unauthorized host
Nov 16 17:59:43 temp1 portmap[7400]: connect from x.y.z.2  to callit
(390109): request from unauthorized host

Both this workstation and the NetWorker server are on the same subnet.

 From what I can gather, it looks like NetWorker is port scanning to 
look for the usual NetWorker client RPC ports.
But why is my NetWorker server scanning this particular system at 
all, and why is it looking at ports that NetWorker
does not use, or is it?

How do I stop this scanning from happening?

I tried to research this info via google and EMC's web site, but all 
I could find was on Google and that told me
there might be a security issue, but I suspect what is actually 
happening is the result of some misconfiguration,
but finding the cause of this problem eludes me.  Otherwise, this 
NetWorker server is working quite well.

If anyone has any suggestions on how I can troubleshoot this, please 
let me know.

To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER



To sign off this list, send email to listserv AT listserv.temple DOT edu and 
type "signoff networker" in the
body of the email. Please write to networker-request AT listserv.temple DOT edu 
if you have any problems
wit this list. You can access the archives at 
http://listserv.temple.edu/archives/networker.html or
via RSS at http://listserv.temple.edu/cgi-bin/wa?RSS&L=NETWORKER

<Prev in Thread] Current Thread [Next in Thread>