Re: Unknown ports

From: Robert Heller (heller_at_deepsoft.com)
Date: 06/28/05


Date: Tue, 28 Jun 2005 02:07:00 +0200


  Bob Parnes <rparnes@megalink.net>,
  In a message on Mon, 27 Jun 2005 12:06:35 -0000, wrote :

BP> On Sun, 26 Jun 2005 20:51:07 -0500, Dave Uhring <daveuhring@yahoo.com> wrote:
BP> > On Mon, 27 Jun 2005 01:04:15 +0000, Bob Parnes wrote:
BP> >
BP> >> Hello,
BP> >>
BP> >> After beginning to learn about security, I ran the following command
BP> >> netstat -tap | grep LISTEN
BP> >> on a debian sarge system. It came up with the following lines, shortened
BP> >> to fit in the post:
BP> >>
BP> >> tcp 0 0 *:32768 *:* LISTEN -
BP> >> tcp 0 0 *:2049 *:* LISTEN -
BP> >> tcp 0 0 *:dict *:* LISTEN 1725/0
BP> >> tcp 0 0 *:870 *:* LISTEN 1960/rpc.statd
BP> >> tcp 0 0 *:sunrpc *:* LISTEN 1524/portmap
BP> >> tcp 0 0 *:auth *:* LISTEN 1758/oidentd
BP> >> tcp 0 0 *:659 *:* LISTEN 1752/rpc.mountd
BP> >> tcp 0 0 *:2710 *:* LISTEN 1987/upsd
BP> >> tcp 0 0 *:ssh *:* LISTEN 1838/sshd
BP> >> tcp 0 0 *:ipp *:* LISTEN 2912/cupsd
BP> >> tcp 0 0 *:postgresql *:* LISTEN 1817/postmaster
BP> >>
BP> >> I don't understand the top two lines. I then ran
BP> >> lsof | grep LISTEN
BP> >
BP> > Wrong command.
BP> >
BP> > # lsof -i :2049
BP> > # lsof -i :32768
BP>
BP> These show nothing
BP>
BP> I lied a bit. I first ran lsof without options, scanned through and
BP> found references to LISTEN but not 2049 or 32768. I then ran lsof | grep
BP> LISTEN to look for matches with netstat.
BP>
BP> >> and found the same files listed in the bottom 9 above but not the top two.
BP> >> Finally I ran
BP> >> nmap -v localhost
BP> >> with the following results:
BP> >>
BP> >> PORT STATE SERVICE
BP> >> 22/tcp open ssh
BP> >> 111/tcp open rpcbind
BP> >> 113/tcp open auth
BP> >> 631/tcp open ipp
BP> >> 659/tcp open unknown
BP> >> 870/tcp open unknown
BP> >> 2049/tcp open nfs
BP> >> 2628/tcp open dict
BP> >> 5432/tcp open postgres
BP> >>
BP> >> So apparently there are two ports listening that have no process or file
BP> >> associated with them.
BP> >
BP> > Of course there are processes associated. Your netstat output showed
BP> > clearly that you are running a NFS server.
BP> >
BP>
BP> You are correct. I expected nfsd, not nfs, but now I see that the other
BP> servers are missing the "d" also.

The 'd' on the end is just part of the name of the Deamon executable.
netstat lists the *service name*, not the name of the daemon process.

BP>
BP> >> Nmap shows something for one of them, except that
BP> >> I am not sure what it is. And there is still the problem with port 32768:
BP> >> how can it be listening when closed?
BP> >
BP> > Learn how to use lsof.
BP> >
BP> >> This is the first time I have seen
BP> >> anything peculiar with the computer, so I wonder if it has been hacked.
BP> >
BP> > Hacked by you. You are running a NFS server.
BP> >
BP>
BP> The NFS server is useful to me and part of the standard process of
BP> running linux, so hacking is not the proper word. But thanks for your
BP> insights.
BP>
BP>
BP> --
BP> Bob Parnes
BP> rparnes@megalink.net
BP>

                                     \/
Robert Heller ||InterNet: heller@cs.umass.edu
http://vis-www.cs.umass.edu/~heller || heller@deepsoft.com
http://www.deepsoft.com /\FidoNet: 1:321/153