Re: Unknow process listening on high port

["Adam" <adam () shomecom com>]

you could try the following...

   lsof -Pan -i tcp -i udp | more

that lsof command listed above will give you a nicely formatted output of 
Command, Process ID, User, TCP/UDP, & Portnumber that it is listening on. 
I hope this helps you obtain the information you are looking for

--

Adam Ossenford
Linux Administrator
----- Original Message ----- 
From: "Justin" <justinvinn () gmail com>
To: "Shawn Badger" <sbadger () cskauto com>
Cc: <security-basics () securityfocus com>
Sent: Friday, October 28, 2005 11:54 AM
Subject: Re: Unknow process listening on high port


Shawn,

netstat reports a '-' for the PID becuase it does not know whats
listening on that port. It appears from your shell output that you
issued netstat as root, and thus should have gotten that PID. However,
its not uncommon to run across this.

You say that nmap reported these ports as open? Did you try and use
-sV for nmap to do a version scan and see what it is? I'd go and
download nmap 3.90 from insecure.org and do a version scan against
those services. (something like:    `nmap -sS -sV -p0- -oN scan-log
127.0.0.1' should do nicley).  You might also see if THC's amap has
any idea what these services are.

Did you scan the system with chkrootkit or rkhunter to see if there
were any trojans and the like?

BTW, I'm just guessing but, 39207 looks to be an RPC port to me. Try
`rpcinfo -p 127.0.0.1' and see if it shows up.

GL, and I hope that it all turns out okay for you.

peace,
--Justin
On 10/26/05, Shawn Badger <sbadger () cskauto com> wrote:
> Fuser says the port is here, but gives no more information. I have ran
> chkrootkit on the servers and fortunately they both came back clean. I
> have also started watching traffic on the ports in question and noticed
> every so often that and pulls a couple test web pages. This is part of
> the High availability service and just using that high port to connect
> to the other server. I am not seeing any connections coming into the
> port in 24 hours of monitoring. I will keep monitoring and see what I
> find. Does anyone know why netstat reports a - for the pid though?
>
>
>
> On Tue, 2005-10-25 at 16:26 -0500, Bob Hacker wrote:
> > fuser -v -n tcp 39207
> >
> > -bob
> >
> >
> >
> > On 10/25/05, Shawn Badger <sbadger () cskauto com> wrote:
> >         I have been auditing a couple of my Suse enterprise 9 servers
> >         and have
> >         come across a different port on each of them that doesn't show
> >         up when I
> >         use lsof, but show up in nmap and netstat. The ports are
> >         39207/tcp on
> >         one server and 49751/tcp on the other. When I do lsof -i -n
> >         and grep it
> >         for the proper port I get no output. When I do netstat -ap I
> >         get an
> >         output, but the pid shows up as -. I haven't seen a process
> >         show up as a
> >         - before and don't where to start looking for that process.
> >         Here is the
> >         output of the netstat:
> >         server1:~# netstat -ap |grep 39207
> >
> >         tcp        0      0 *:39207                 *:*
> >         LISTEN -
> >
> >
> >         I get the same results on the other server as well Any ideas
> >         would be
> >         appreciated.
> >
> >
> >
> >