[ale] Identfy source of open ports

Alex Carver agcarver+ale at acarver.net
Fri Jan 3 17:53:19 EST 2014


I did try lsof some more before I rebooted but nothing was connected
with that particular port.  It was just this random open port that no
process controlled or wanted.  Very odd.  But as mentioned in the thread
and other threads, it was probably a dead NFS connection that was never
cleaned up and purged.  Even still, integrit said all was good and still
the firewall was not open to that port (and I don't run UPnP foolishness
on my firewall).  So even if it were something malicious, no one was
going to be able to reach it.

On 1/3/2014 07:57, Lightner, Jeff wrote:
> +1 on lsof - one of the most fantastic tools ever - I began using it on HP-UX years ago and use it for many things not just networking.  (lsof = list open files).  The number of options are amazing.   Linux netstat (as opposed to proprietary UNIX netstat) is a good tool but I seldom use it for these kind of things if lsof is available.
> 
> By the way the "-i" option should be lower case.   You can even get more detail by combining options with "-a" so that "lsof -i -a -p <pid>" will show you just the sockets for a specified PID as opposed to showing you all sockets on the system.
> 
> Note that there are some things lsof won't see but the author is (or was a few  years back) quite responsive to queries.   When I contacted him back then he even made HP change something they'd done in their code because they had an agreement with him to make lsof work on HP-UX and had apparently reneged.   Funny thing is he pointed me to FAQ initially and I realized I'd been using it so long it hadn't occurred to me to look at the FAQ.   However, on the follow up when I thought I'd figured out the issue was something mentioned in the FAQ he realized it was the code change HP had done.
> 
> 
> 
> 
> 
> 
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Alex Carver
> Sent: Friday, January 03, 2014 1:28 AM
> To: ale at ale.org
> Subject: Re: [ale] Identfy source of open ports
> 
> Well, that clears up one port, 54906 is being used by rpc.statd (I've got an NFS server running on that machine).  But the other port, 42865, doesn't show up in the list.  However, it does respond to a connection request from netcat and sending a simple carriage return causes a zero byte response (well, zero payload bytes, only the TCP headers).  I can send other random characters but it disconnects afterwards.  Very peculiar.  I'm downloading wireshark now to sniff at it some more.  It can get hard to read tcpdump.
> 
> 
> 
> On 1/2/2014 22:11, Beddingfield, Allen wrote:
>> Try "lsof -l -P|grep LISTEN"  on the system with those ports open.
>>
>> Allen B.
>> --
>> Allen Beddingfield
>> Systems Engineer
>> The University of Alabama
>>
>> ________________________________________
>> From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Alex
>> Carver [agcarver+ale at acarver.net]
>> Sent: Thursday, January 02, 2014 11:49 PM
>> To: Atlanta Linux Enthusiasts
>> Subject: [ale] Identfy source of open ports
>>
>> It's a new year so on a whim I started nmaps of various machines and
>> devices on my home network to see what was open and if anything I
>> didn't know about popped up.
>>
>> One of my Debian boxes popped up with two ports out of the blue.  Port
>> 42865 and 54906.  I don't know of any services running that use those
>> ports.  Running netstat -ap doesn't show much either, it has a blank
>> entry for the PID/Program name:
>>
>> Proto Recv-Q Send-Q Local Address    Foreign Address   State
>> PID/Program name
>>
>> tcp        0      0 *:42865            *:*         LISTEN      -
>> tcp        0      0 *:54906            *:*         LISTEN      -
>>
>> Anything else I can use to try and ferret out what it is that is
>> listening on these ports?  Neither port is accessible from the outside
>> world due to a firewall.  A scan of two other Debian shows mostly ok
>> (expected services) though one shows port 779 open in listen mode but
>> again with no PID, and the other machine shows 31599 (also not accessible).
>>
>> Searching online for those particular ports doesn't provide any useful
>> information (779 claims one use is for NetInfo on OS X but that
>> machine is not a Mac).
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
> 
> 
> 
> Athena(r), Created for the Cause(tm)
> Making a Difference in the Fight Against Breast Cancer
> 
> ---------------------------------
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
> ----------------------------------
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
> 



More information about the Ale mailing list