First thing I would check is if any traffic is going to them with tcpdump or
snoop, also would take a look at your system around the port as have seen
trojans that are port independant and usually replace original binary or a
piece of code.
Not sure if these are personal or corporate systems but there should be some
tool you could run that checks the system or unwanted software
-----Original Message-----
From: Shawn Badger <sbadger@cskauto.com>
To: security-basics@securityfocus.com <security-basics@securityfocus.com>
Sent: Tue Oct 25 14:33:16 2005
Subject: Unknow process listening on high port
I have been auditing a couple of my Suse enterprise 9 servers and have
come across a different port on each of them that doesn't show up when I
use lsof, but show up in nmap and netstat. The ports are 39207/tcp on
one server and 49751/tcp on the other. When I do lsof -i -n and grep it
for the proper port I get no output. When I do netstat -ap I get an
output, but the pid shows up as -. I haven't seen a process show up as a
- before and don't where to start looking for that process. Here is the
output of the netstat:
server1:~# netstat -ap |grep 39207
tcp 0 0 *:39207 *:*
LISTEN -
I get the same results on the other server as well Any ideas would be
appreciated.
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.
------------------------------------------------------------------------
