Security Basics mailing list archives

Re: Unknow process listening on high port

From: <Steve.Cummings () barclayscapital com>
Date: Tue, 25 Oct 2005 17:45:33 +0100

First thing I would check is if any traffic is going to them with tcpdump or snoop, also would take a look at your 
system around the port as have seen trojans that are port independant and usually replace original binary or a piece of 
code.

Not sure if these are personal or corporate systems but there should be some tool you could run that checks the system 
or unwanted software
 

-----Original Message-----
From: Shawn Badger <sbadger () cskauto com>
To: security-basics () securityfocus com <security-basics () securityfocus com>
Sent: Tue Oct 25 14:33:16 2005
Subject: Unknow process listening on high port

I have been auditing a couple of my Suse enterprise 9 servers and have
come across a different port on each of them that doesn't show up when I
use lsof, but show up in nmap and netstat. The ports are 39207/tcp on
one server and 49751/tcp on the other. When I do lsof -i -n and grep it
for the proper port I get no output. When I do netstat -ap I get an
output, but the pid shows up as -. I haven't seen a process show up as a
- before and don't where to start looking for that process. Here is the
output of the netstat:
server1:~# netstat -ap |grep 39207

tcp        0      0 *:39207                 *:*
LISTEN -


I get the same results on the other server as well Any ideas would be
appreciated.






------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------

Current thread:

Unknow process listening on high port Shawn Badger (Oct 25)
- Re: Unknow process listening on high port David (Oct 26)
- Re: Unknow process listening on high port Bryan Andrews (Oct 26)
- Message not available
  - Re: Unknow process listening on high port Shawn Badger (Oct 26)
    - Re: Unknow process listening on high port Justin (Oct 31)
    - Re: Unknow process listening on high port Shawn Badger (Oct 31)
    - Re: Unknow process listening on high port Adam (Oct 31)
- <Possible follow-ups>
- Re: Unknow process listening on high port Steve.Cummings (Oct 26)
- Re: Unknow process listening on high port Shawn Badger (Oct 27)