Re: Unknow process listening on high port
From: Shawn Badger (sbadger_at_cskauto.com)
Date: 10/28/05
- Previous message: Saqib Ali: "Re: remote desktop"
- In reply to: Justin: "Re: Unknow process listening on high port"
- Next in thread: Adam: "Re: Unknow process listening on high port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Justin <justinvinn@gmail.com> Date: Fri, 28 Oct 2005 11:22:26 -0700
I have run the chkrootkit and found nothing to indicate the box has been
compromised. Nmap failed to give any more information, but rpcinfo gave
me a something more to looks at. Here is the output for the command you
gave me:
Server1:/ # rpcinfo -p 127.0.0.1
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32828 status
100021 1 udp 32828 nlockmgr
100021 3 udp 32828 nlockmgr
100021 4 udp 32828 nlockmgr
100024 1 tcp 39207 status
100021 1 tcp 39207 nlockmgr
100021 3 tcp 39207 nlockmgr
100021 4 tcp 39207 nlockmgr
It like that is it!
Thanks everybody for all of your help with this problem.
On Fri, 2005-10-28 at 13:54 -0400, Justin wrote:
> Shawn,
>
> netstat reports a '-' for the PID becuase it does not know whats
> listening on that port. It appears from your swasprod1:/ # rpcinfo -p 127.0.0.1
> hell output that you
> issued netstat as root, and thus should have gotten that PID. However,
> its not uncommon to run across this.
>
> You say that nmap reported these ports as open? Did you try and use
> -sV for nmap to do a version scan and see what it is? I'd go and
> download nmap 3.90 from insecure.org and do a version scan against
> those services. (something like: `nmap -sS -sV -p0- -oN scan-log
> 127.0.0.1' should do nicley). You might also see if THC's amap has
> any idea what these services are.
>
> Did you scan the system with chkrootkit or rkhunter to see if there
> were any trojans and the like?
>
> BTW, I'm just guessing but, 39207 looks to be an RPC port to me. Try
> `rpcinfo -p 127.0.0.1' and see if it shows up.
>
> GL, and I hope that it all turns out okay for you.
>
> peace,
> --Justin
> On 10/26/05, Shawn Badger <sbadger@cskauto.com> wrote:
> > Fuser says the port is here, but gives no more information. I have ran
> > chkrootkit on the servers and fortunately they both came back clean. I
> > have also started watching traffic on the ports in question and noticed
> > every so often that and pulls a couple test web pages. This is part of
> > the High availability service and just using that high port to connect
> > to the other server. I am not seeing any connections coming into the
> > port in 24 hours of monitoring. I will keep monitoring and see what I
> > find. Does anyone know why netstat reports a - for the pid though?
> >
> >
- Previous message: Saqib Ali: "Re: remote desktop"
- In reply to: Justin: "Re: Unknow process listening on high port"
- Next in thread: Adam: "Re: Unknow process listening on high port"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
