Xinetd problem, please help :(

sh4ka

Well-Known Member
May 12, 2005
444
0
166
Uruguay
cPanel Access Level
DataCenter Provider
I saw the server report today and there is a new port open

113/tcp open auth


[email protected] [~]# fuser -v 113/tcp

USER PID ACCESS COMMAND
113/tcp root 1969 f.... xinetd

[email protected] [~]# ps -aux | grep "xinetd"
root 1969 0.0 0.0 2136 912 ? S 08:41 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid

I kill all the xinetd process, restart xinetd, also rebooted the box and port still there..
I have a few cPanel servers and I have never seen this port open, can anyone tell me what is that port ? and how to close it ? I am using RH Ent. 3 .

thkz!

pd: this rare port appear today after a kiddie using a script attacked one of the php-nuke websites I have hosted at the server.
 

dave9000

Well-Known Member
Apr 7, 2003
888
1
168
arkansas
cPanel Access Level
Root Administrator
port 113 is the identd port that is used mostly for puter identification for irc servers.
I would check your box over carefully for a running irc server and any more open ports that were not there before. Also run rkhunter and see if it reports any issues
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
You need to edit /etc/xinetd.d/auth and change the disable line to:

disable = yes

then restart xinetd:

service xinetd restart