strange: Open Ports, not owned by processes, SuSe 9.1
Dear list! I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service. Here is the netstat -atp output right after boot (runlevel 3): Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN - tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd There is no process assigned to 1024. I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor? Before I encountered this problem the system was permanently running in runlevel 5, also runninng CUPS. Perhaps this has something to do with the vulnerability solved with the patch from Sept. 15? Regards, Markus
Markus Gerke wrote:
Dear list!
I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.
Here is the netstat -atp output right after boot (runlevel 3):
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd
That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN - tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd
There is no process assigned to 1024.
I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor?
Before I encountered this problem the system was permanently running in runlevel 5, also runninng CUPS. Perhaps this has something to do with the vulnerability solved with the patch from Sept. 15?
Try running `lsof | grep LISTEN`. It's basically the same as the netstat, but starting from the other direction.
Markus Gerke wrote:
Dear list!
I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.
...
That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN -
...
There is no process assigned to 1024.
I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor?
... lsof is your friend in cases like this (install it if it didn't get installed by default). Try: lsof -Pn -i TCP:1024 Read the man page for it, it's a very useful command. :-) HTH, Kevin
Kevin Brannen wrote:
Markus Gerke wrote:
Dear list!
I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.
...
That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN -
...
There is no process assigned to 1024.
I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor?
...
lsof is your friend in cases like this (install it if it didn't get installed by default). Try:
lsof -Pn -i TCP:1024
Read the man page for it, it's a very useful command. :-)
HTH, Kevin
I got the hint that these ports may be assigned by the portmapper ... that's it (rpcinfo -p)... But: I still wonder why it uses "reserved" ports (according to /etc/services)... Thanks for your help! Markus
participants (3)
-
Kevin Brannen -
Markus Gerke -
suse@rio.vg