Kevin Brannen wrote:
Markus Gerke wrote:
Dear list!
I encountered a strange behaviour of my 9.1-Installation. The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.
...
That is OK, but after approx. 10 min. an additional port is open: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN -
...
There is no process assigned to 1024.
I checked the system with chkrootkit and rkhunter, both negative. Do you know this behaviour? Is this a backdoor?
...
lsof is your friend in cases like this (install it if it didn't get installed by default). Try:
lsof -Pn -i TCP:1024
Read the man page for it, it's a very useful command. :-)
HTH, Kevin
I got the hint that these ports may be assigned by the portmapper ... that's it (rpcinfo -p)... But: I still wonder why it uses "reserved" ports (according to /etc/services)... Thanks for your help! Markus