[ale] Identfy source of open ports

Jim Kinney jim.kinney at gmail.com
Fri Jan 3 08:33:05 EST 2014


Sounds a process started the port, NFS likely, but closed unexpectedly and
failed to release the port. Sounds like NFS mount that lost connection and
remade on the other port.

NFS is weird.
On Jan 3, 2014 2:52 AM, "Alex Carver" <agcarver+ale at acarver.net> wrote:

> Well, a reboot took care of whatever it was because there are no
> unexpected open ports now.  Very peculiar but I didn't see any out of
> the ordinary processes and I run a file system scan every night
> (integrit) which didn't show any changes.
>
> On 1/2/2014 22:55, Alex Carver wrote:
> > Ok, even stranger.  Watching the wireshark transactions, I am able to
> > send four bytes to this port.  After four bytes the connection is closed
> > on the server end.  I can't see any valid data coming back from the
> > port, most of it is just TCP SYNs and ACKs.  There doesn't appear to be
> > any data coming back (wireshark shows no data attached to any return
> > packet and all the returns are ACK and FIN packets).  If I connect a few
> > more times I start to receive RST packets instead.
> >
> > There's a UDP port 38501 that's also open with no identifiable program.
> >  That one echos anything I type as long as it's four bytes or less.
> >
> > I've also shut down every service on the system and both ports are still
> > open.  I'm thoroughly confused now.
> >
> > On 1/2/2014 22:23, Alex Carver wrote:
> >> Well, that clears up one port, 54906 is being used by rpc.statd (I've
> >> got an NFS server running on that machine).  But the other port, 42865,
> >> doesn't show up in the list.  However, it does respond to a connection
> >> request from netcat and sending a simple carriage return causes a zero
> >> byte response (well, zero payload bytes, only the TCP headers).  I can
> >> send other random characters but it disconnects afterwards.  Very
> >> peculiar.  I'm downloading wireshark now to sniff at it some more.  It
> >> can get hard to read tcpdump.
> >>
> >>
> >>
> >> On 1/2/2014 22:11, Beddingfield, Allen wrote:
> >>> Try "lsof -l -P|grep LISTEN"  on the system with those ports open.
> >>>
> >>> Allen B.
> >>> --
> >>> Allen Beddingfield
> >>> Systems Engineer
> >>> The University of Alabama
> >>>
> >>> ________________________________________
> >>> From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Alex
> Carver [agcarver+ale at acarver.net]
> >>> Sent: Thursday, January 02, 2014 11:49 PM
> >>> To: Atlanta Linux Enthusiasts
> >>> Subject: [ale] Identfy source of open ports
> >>>
> >>> It's a new year so on a whim I started nmaps of various machines and
> >>> devices on my home network to see what was open and if anything I
> didn't
> >>> know about popped up.
> >>>
> >>> One of my Debian boxes popped up with two ports out of the blue.  Port
> >>> 42865 and 54906.  I don't know of any services running that use those
> >>> ports.  Running netstat -ap doesn't show much either, it has a blank
> >>> entry for the PID/Program name:
> >>>
> >>> Proto Recv-Q Send-Q Local Address    Foreign Address   State
> >>> PID/Program name
> >>>
> >>> tcp        0      0 *:42865            *:*         LISTEN      -
> >>> tcp        0      0 *:54906            *:*         LISTEN      -
> >>>
> >>> Anything else I can use to try and ferret out what it is that is
> >>> listening on these ports?  Neither port is accessible from the outside
> >>> world due to a firewall.  A scan of two other Debian shows mostly ok
> >>> (expected services) though one shows port 779 open in listen mode but
> >>> again with no PID, and the other machine shows 31599 (also not
> accessible).
> >>>
> >>> Searching online for those particular ports doesn't provide any useful
> >>> information (779 claims one use is for NetInfo on OS X but that machine
> >>> is not a Mac).
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>> See JOBS, ANNOUNCE and SCHOOLS lists at
> >>> http://mail.ale.org/mailman/listinfo
> >>>
> >>>
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >> See JOBS, ANNOUNCE and SCHOOLS lists at
> >> http://mail.ale.org/mailman/listinfo
> >>
> >>
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140103/65cdf549/attachment-0001.html>


More information about the Ale mailing list