Markus Gerke wrote:
Dear list!
I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.
Here is the netstat -atp output right after boot (runlevel 3):
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd
That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN - tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd
There is no process assigned to 1024.
I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor?
Before I encountered this problem the system was permanently running in runlevel 5, also runninng CUPS. Perhaps this has something to do with the vulnerability solved with the patch from Sept. 15?
Try running `lsof | grep LISTEN`. It's basically the same as the netstat, but starting from the other direction.