which process bind some port

From: Nakamura (eiji@pfu.fujitsu.com)
Date: 08/22/02


Date: Thu, 22 Aug 2002 16:13:09 +0900
From: Nakamura <eiji@pfu.fujitsu.com>
To: focus-sun@securityfocus.com


I'm using Solaris8/Netra T1, and for security kill all the process
except required.

But, netstat -an shows "BOUND" State as follows.
This means local address(port) is bound, but not listen, I think.

NetraT1$ netstat -an

TCP: IPv4
   Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
      *.* *.* 0 0 24576 0 IDLE
      *.21 *.* 0 0 24576 0 LISTEN
      *.23 *.* 0 0 24576 0 LISTEN
      *.1009 *.* 0 0 24576 0 BOUND
      ........
      ........

and "ps" command shows as follows.

NetraT1$ ps -ecl
 F S UID PID PPID CLS PRI ADDR SZ WCHAN TTY TIME CMD
19 T 0 0 0 SYS 96 ? 0 ? 0:12 sched
 8 S 0 1 0 TS 59 ? 101 ? ? 0:10 init
19 S 0 2 0 SYS 98 ? 0 ? ? 0:00 pageout
19 S 0 3 0 SYS 60 ? 0 ? ? 96:43 fsflush
 8 S 0 206 1 TS 59 ? 224 ? ? 0:00 sac
 8 S 0 209 206 TS 58 ? 224 ? ? 0:00 ttymon
 8 S 0 207 1 TS 52 ? 224 ? console 0:00 ttymon
 8 S 0 48 1 TS 51 ? 212 ? ? 0:00 sysevent
 8 S 0 50 1 TS 50 ? 188 ? ? 0:00 sysevent
 8 S 0 128 1 TS 48 ? 226 ? ? 0:00 inetd
 8 S 0 152 1 TS 52 ? 4728 ? ? 1:03 nscd
 8 S 0 18846 1 TS 58 ? 459 ? ? 0:21 syslogd
 8 S 0 20343 1 TS 59 ? 331 ? ? 1:49 ntpd
 8 O 101 2626 2617 TS 52 ? 240 pts/1 0:00 ps
 8 S 0 20544 1 TS 48 ? 245 ? ? 0:01 cron
 8 S 0 20811 1 TS 58 ? 498 ? ? 0:08 sendmail
 8 S 0 8967 1 TS 48 ? 330 ? ? 0:00 sshd
 8 R 101 2617 2615 TS 42 ? 257 pts/1 0:00 ksh
 8 S 0 2615 128 TS 38 ? 227 ? ? 0:00 in.telne

And, the number of this bound port is changing!
1016 port is bound, somedays ago.

On other machine different ports is bound.

another NetraT1% netstat -an
      ....
      *.1010 *.* 0 0 24576 0 BOUND

other NetraT1% netstat -an
      ....
      *.1012 *.* 0 0 24576 0 BOUND

lsof can't tell which process open the port.

Does anyone know which process is bound this port(1009,1010,1012)?

thanks in advance.



Relevant Pages

  • Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap:
    ... assuming netstat wasn't one of the programs ... listed there for port 1313 correspond to the PIDs chkproc spit out. ... all your services while you upgrade all the software that needs upgrading. ... > Every week or so I'll run chkrootkit, mostly just because I feel I ...
    (comp.os.linux.security)
  • RE: I think Ive been hacked...please help!
    ... > connecting within seconds of boot. ... port scanning the machine from the outside ... experience performing incident response activities, ... one will run netstat and see something listening on ...
    (Incidents)
  • Re: Help, my machine has been hacked
    ... >> also take a look at processes running in your system, ... >> opened (netstat -tupan), environment changesetc. ... If you provide port 80 to the outside ... filter invalid packets, in particular tcp scans with invalid flags, where ...
    (comp.os.linux.security)
  • Re: Detecting Internet activity
    ... connection and then use netstat tool to confirm whether or not the relevant ... port is 20 or 21. ... Title: Enhance netstat ... >- when I open a FTP connection, none of the listed ports match the ...
    (microsoft.public.win32.programmer.networks)
  • RE: a tool like nestat
    ... Windows has a tool that is more robust than netstat, it's called Port ... >Subject: a tool like nestat ...
    (Security-Basics)