I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN –
tcp 0 0 *:43422 *:* LISTEN –
udp 0 0 *:50216 *:* –
How can I identify what application is using these ports?
Richard
12 thoughts on - Process Identification
I’d try lsof.
This netstat show exactly the same. Lsof does not show these ports.
This looks like these port are opened by kernel, not by a process, for example like nfs.
regards Ulf
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
How can I know for sure?
lsof -i -P | grep LISTEN
For NFS it is simple, use ‘rpcinfo -p’.
regards Ulf
Returns none of the questionable ports
Great that shows 2 of them
$ sudo rpcinfo -p
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 55364 status
100024 1 tcp 38528 status
100021 1 udp 50216 nlockmgr
100021 3 udp 50216 nlockmgr
100021 4 udp 50216 nlockmgr
100021 1 tcp 48720 nlockmgr
100021 3 tcp 48720 nlockmgr
100021 4 tcp 48720 nlockmgr
Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I’d like to know which ports are open
(listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]:
nmap -p 1- host.example.com nmap -p U:1- host.example.com
then you can compare these with what internal commands (netstat, lsof)
give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:
Here’s a suggestion: look at /etc/sysconfig/iptables. Make sure that it looks the way it’s supposed to. Then you could put in a rule to kill one or more of those questionable ports, and service iptables restart, and see what happens.
mark
One more side note: when checking open ports using internal commands make sure to stop firewall (iptables).
Valeri
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++