Process Identification

Home » CentOS » Process Identification
CentOS 12 Comments

I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.

tcp 0 0 *:48720 *:* LISTEN –
tcp 0 0 *:43422 *:* LISTEN –
udp 0 0 *:50216 *:* –

How can I identify what application is using these ports?

Richard

12 thoughts on - Process Identification

  • My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.

  • Great that shows 2 of them

    $ sudo rpcinfo -p
    program vers proto port service
    100000 4 tcp 111 portmapper
    100000 3 tcp 111 portmapper
    100000 2 tcp 111 portmapper
    100000 4 udp 111 portmapper
    100000 3 udp 111 portmapper
    100000 2 udp 111 portmapper
    100024 1 udp 55364 status
    100024 1 tcp 38528 status
    100021 1 udp 50216 nlockmgr
    100021 3 udp 50216 nlockmgr
    100021 4 udp 50216 nlockmgr
    100021 1 tcp 48720 nlockmgr
    100021 3 tcp 48720 nlockmgr
    100021 4 tcp 48720 nlockmgr

  • Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I’d like to know which ports are open
    (listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]:

    nmap -p 1- host.example.com nmap -p U:1- host.example.com

    then you can compare these with what internal commands (netstat, lsof)
    give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend.

    Good luck!

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • Valeri Galtsev wrote:


    Here’s a suggestion: look at /etc/sysconfig/iptables. Make sure that it looks the way it’s supposed to. Then you could put in a rule to kill one or more of those questionable ports, and service iptables restart, and see what happens.

    mark

  • One more side note: when checking open ports using internal commands make sure to stop firewall (iptables).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++