Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Unknow process listening on high port

from [Justin] Network Security [Permanent Link]
Subject: Re: Unknow process listening on high port
Date: Fri, 28 Oct 2005 13:54:06 -0400 
Shawn,

netstat reports a '-' for the PID becuase it does not know whats
listening on that port. It appears from your shell output that you
issued netstat as root, and thus should have gotten that PID. However,
its not uncommon to run across this.

You say that nmap reported these ports as open? Did you try and use
-sV for nmap to do a version scan and see what it is? I'd go and
download nmap 3.90 from insecure.org and do a version scan against
those services. (something like:    `nmap -sS -sV -p0- -oN scan-log
127.0.0.1' should do nicley).  You might also see if THC's amap has
any idea what these services are.

Did you scan the system with chkrootkit or rkhunter to see if there
were any trojans and the like?

BTW, I'm just guessing but, 39207 looks to be an RPC port to me. Try
`rpcinfo -p 127.0.0.1' and see if it shows up.

GL, and I hope that it all turns out okay for you.

peace,
--Justin
On 10/26/05, Shawn Badger <sbadger@cskauto.com> wrote:

Fuser says the port is here, but gives no more information. I have ran
chkrootkit on the servers and fortunately they both came back clean. I
have also started watching traffic on the ports in question and noticed
every so often that and pulls a couple test web pages. This is part of
the High availability service and just using that high port to connect
to the other server. I am not seeing any connections coming into the
port in 24 hours of monitoring. I will keep monitoring and see what I
find. Does anyone know why netstat reports a - for the pid though?



On Tue, 2005-10-25 at 16:26 -0500, Bob Hacker wrote:

fuser -v -n tcp 39207

-bob



On 10/25/05, Shawn Badger <sbadger@cskauto.com> wrote:
        I have been auditing a couple of my Suse enterprise 9 servers
        and have
        come across a different port on each of them that doesn't show
        up when I
        use lsof, but show up in nmap and netstat. The ports are
        39207/tcp on
        one server and 49751/tcp on the other. When I do lsof -i -n
        and grep it
        for the proper port I get no output. When I do netstat -ap I
        get an
        output, but the pid shows up as -. I haven't seen a process
        show up as a
        - before and don't where to start looking for that process.
        Here is the
        output of the netstat:
        server1:~# netstat -ap |grep 39207

        tcp        0      0 *:39207                 *:*
        LISTEN -


        I get the same results on the other server as well Any ideas
        would be
        appreciated.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Any research on log correlation and aggregation?, Andrew Chong
Next by Date:  Re: Any research on log correlation and aggregation?, Fred Cohen
Previous by Thread:  Re: Unknow process listening on high port, Shawn Badger
Next by Thread:  Re: Unknow process listening on high port, Shawn Badger
Indexes:  [Date] [Thread] [Top] [All Lists]