[ale] Identfy source of open ports

Alex Carver agcarver+ale at acarver.net
Fri Jan 3 01:55:09 EST 2014


Ok, even stranger.  Watching the wireshark transactions, I am able to
send four bytes to this port.  After four bytes the connection is closed
on the server end.  I can't see any valid data coming back from the
port, most of it is just TCP SYNs and ACKs.  There doesn't appear to be
any data coming back (wireshark shows no data attached to any return
packet and all the returns are ACK and FIN packets).  If I connect a few
more times I start to receive RST packets instead.

There's a UDP port 38501 that's also open with no identifiable program.
 That one echos anything I type as long as it's four bytes or less.

I've also shut down every service on the system and both ports are still
open.  I'm thoroughly confused now.

On 1/2/2014 22:23, Alex Carver wrote:
> Well, that clears up one port, 54906 is being used by rpc.statd (I've
> got an NFS server running on that machine).  But the other port, 42865,
> doesn't show up in the list.  However, it does respond to a connection
> request from netcat and sending a simple carriage return causes a zero
> byte response (well, zero payload bytes, only the TCP headers).  I can
> send other random characters but it disconnects afterwards.  Very
> peculiar.  I'm downloading wireshark now to sniff at it some more.  It
> can get hard to read tcpdump.
> 
> 
> 
> On 1/2/2014 22:11, Beddingfield, Allen wrote:
>> Try "lsof -l -P|grep LISTEN"  on the system with those ports open.
>>
>> Allen B.
>> --
>> Allen Beddingfield
>> Systems Engineer
>> The University of Alabama
>>
>> ________________________________________
>> From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Alex Carver [agcarver+ale at acarver.net]
>> Sent: Thursday, January 02, 2014 11:49 PM
>> To: Atlanta Linux Enthusiasts
>> Subject: [ale] Identfy source of open ports
>>
>> It's a new year so on a whim I started nmaps of various machines and
>> devices on my home network to see what was open and if anything I didn't
>> know about popped up.
>>
>> One of my Debian boxes popped up with two ports out of the blue.  Port
>> 42865 and 54906.  I don't know of any services running that use those
>> ports.  Running netstat -ap doesn't show much either, it has a blank
>> entry for the PID/Program name:
>>
>> Proto Recv-Q Send-Q Local Address    Foreign Address   State
>> PID/Program name
>>
>> tcp        0      0 *:42865            *:*         LISTEN      -
>> tcp        0      0 *:54906            *:*         LISTEN      -
>>
>> Anything else I can use to try and ferret out what it is that is
>> listening on these ports?  Neither port is accessible from the outside
>> world due to a firewall.  A scan of two other Debian shows mostly ok
>> (expected services) though one shows port 779 open in listen mode but
>> again with no PID, and the other machine shows 31599 (also not accessible).
>>
>> Searching online for those particular ports doesn't provide any useful
>> information (779 claims one use is for NetInfo on OS X but that machine
>> is not a Mac).
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
> 



More information about the Ale mailing list