Security Basics mailing list archives

Re: Unknow process listening on high port

From: Shawn Badger <sbadger () cskauto com>
Date: Thu, 27 Oct 2005 07:44:46 -0700

Fuser says the port is here, but gives no more information. I have ran
        chkrootkit on the servers and fortunately they both came back
        clean. I
        have also started watching traffic on the ports in question and
        noticed
        every so often that and pulls a couple test web pages. This is
        part of
        the High availability service and just using that high port to
        connect
        to the other server. I am not seeing any connections coming into
        the
        port in 24 hours of monitoring. I will keep monitoring and see
        what I
        find. Does anyone know why netstat reports a - for the pid
        though?
        
        
        
        On Tue, 2005-10-25 at 16:26 -0500, Bob Hacker wrote:
        > fuser -v -n tcp 39207
        >  
        > -bob
        > 
        > 
        >  
        > On 10/25/05, Shawn Badger <sbadger () cskauto com> wrote: 
        >         I have been auditing a couple of my Suse enterprise 9
        servers
        >         and have
        >         come across a different port on each of them that
        doesn't show
        >         up when I 
        >         use lsof, but show up in nmap and netstat. The ports
        are
        >         39207/tcp on
        >         one server and 49751/tcp on the other. When I do lsof
        -i -n
        >         and grep it
        >         for the proper port I get no output. When I do netstat
        -ap I
        >         get an
        >         output, but the pid shows up as -. I haven't seen a
        process
        >         show up as a
        >         - before and don't where to start looking for that
        process.
        >         Here is the
        >         output of the netstat:
        >         server1:~# netstat -ap |grep 39207
        >         
        >         tcp        0      0 *:39207                 *:* 
        >         LISTEN -
        >         
        >         
        >         I get the same results on the other server as well Any
        ideas
        >         would be
        >         appreciated.
        >         
        >         
        >         
        >

Current thread:

Unknow process listening on high port Shawn Badger (Oct 25)
- Re: Unknow process listening on high port David (Oct 26)
- Re: Unknow process listening on high port Bryan Andrews (Oct 26)
- Message not available
  - Re: Unknow process listening on high port Shawn Badger (Oct 26)
    - Re: Unknow process listening on high port Justin (Oct 31)
    - Re: Unknow process listening on high port Shawn Badger (Oct 31)
    - Re: Unknow process listening on high port Adam (Oct 31)
- <Possible follow-ups>
- Re: Unknow process listening on high port Steve.Cummings (Oct 26)
- Re: Unknow process listening on high port Shawn Badger (Oct 27)