Security Basics mailing list archives

Re: Unknow process listening on high port

From: Shawn Badger <sbadger () cskauto com>
Date: Fri, 28 Oct 2005 11:22:26 -0700

I have run the chkrootkit and found nothing to indicate the box has been
compromised. Nmap failed to give any more information, but rpcinfo gave
me a something more to looks at. Here is the output for the command you
gave me:
Server1:/ #  rpcinfo -p 127.0.0.1
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  32828  status
    100021    1   udp  32828  nlockmgr
    100021    3   udp  32828  nlockmgr
    100021    4   udp  32828  nlockmgr
    100024    1   tcp  39207  status
    100021    1   tcp  39207  nlockmgr
    100021    3   tcp  39207  nlockmgr
    100021    4   tcp  39207  nlockmgr

It like that is it!  

Thanks everybody for all of your help with this problem.



On Fri, 2005-10-28 at 13:54 -0400, Justin wrote:

Shawn,

netstat reports a '-' for the PID becuase it does not know whats
listening on that port. It appears from your swasprod1:/ #  rpcinfo -p 127.0.0.1

hell output that you
issued netstat as root, and thus should have gotten that PID. However,
its not uncommon to run across this.

You say that nmap reported these ports as open? Did you try and use
-sV for nmap to do a version scan and see what it is? I'd go and
download nmap 3.90 from insecure.org and do a version scan against
those services. (something like:    `nmap -sS -sV -p0- -oN scan-log
127.0.0.1' should do nicley).  You might also see if THC's amap has
any idea what these services are.

Did you scan the system with chkrootkit or rkhunter to see if there
were any trojans and the like?

BTW, I'm just guessing but, 39207 looks to be an RPC port to me. Try
`rpcinfo -p 127.0.0.1' and see if it shows up.

GL, and I hope that it all turns out okay for you.

peace,
--Justin
On 10/26/05, Shawn Badger <sbadger () cskauto com> wrote:

Fuser says the port is here, but gives no more information. I have ran
chkrootkit on the servers and fortunately they both came back clean. I
have also started watching traffic on the ports in question and noticed
every so often that and pulls a couple test web pages. This is part of
the High availability service and just using that high port to connect
to the other server. I am not seeing any connections coming into the
port in 24 hours of monitoring. I will keep monitoring and see what I
find. Does anyone know why netstat reports a - for the pid though?

Current thread:

Unknow process listening on high port Shawn Badger (Oct 25)
- Re: Unknow process listening on high port David (Oct 26)
- Re: Unknow process listening on high port Bryan Andrews (Oct 26)
- Message not available
  - Re: Unknow process listening on high port Shawn Badger (Oct 26)
    - Re: Unknow process listening on high port Justin (Oct 31)
    - Re: Unknow process listening on high port Shawn Badger (Oct 31)
    - Re: Unknow process listening on high port Adam (Oct 31)
- <Possible follow-ups>
- Re: Unknow process listening on high port Steve.Cummings (Oct 26)
- Re: Unknow process listening on high port Shawn Badger (Oct 27)