 |
|
| Linux Forum Index » Linux Security » Listening on "mysterious" ports... |
|
Page 1 of 1 |
|
| Author |
Message |
| Carlos Moreno... |
 Posted: Mon May 25, 2009 2:02 am |
|
|
|
Guest
|
Hi,
I just tried a port scan on one of my machines (Ubuntu desktop, but
working as a file server (Samba) inside my home LAN), and am
surprised and worried to see that it is listening on ports 48038 and
50075.
Rings a bell to anyone? Any familiar rootkits / backdoors?
netstat -p -l | egrep "48038|50075" does not report a PID for port
48038 --- 50075 corresponds to rpc.statd, which I guess is related
to samba server? (my question is: why?) --- oh, here's the
exact output:
tcp 0 0 *:48038 *:*
LISTEN -
tcp 0 0 *:50075 *:*
LISTEN 5622/rpc.statd
A Google search returns nothing about malware using these
ports. Anyone?
Thanks,
Carlos
-- |
|
|
| Back to top |
|
|
|
| David W. Hodgins... |
| Posted: Mon May 25, 2009 11:32 am |
|
|
|
Guest
|
On Mon, 25 May 2009 08:02:12 -0400, Carlos Moreno <cm_news at (no spam) mailinator.com> wrote:
Quote: netstat -p -l | egrep "48038|50075" does not report a PID for port
48038 --- 50075 corresponds to rpc.statd, which I guess is related
On my mandriva 2009.1 system, I have two ports which do not show
a program in netstat -tapn, and do not show up in
"lsof -n|grep -i tcp|grep $portnumber".
Process of elimination (checking after stopping each daemon) shows
that they belong to smb-server and lm-sensors.
My guess, is that the ports are opened by kernel modules, not
regular processes, so there is no program name associated with
them. The one for lm-sensors is consistently tcp port 2049,
while the one for nfs-server changes each time the service is
restarted.
This is normal. It would be nice if it were easier to figure
out which service these ports are being used for, and what
they are being used to do, but if you can confirm which service
they are for, it cuts down the worrying, as you can always
check the code, to see what it's being used for.
Regards, Dave Hodgins
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.) |
|
|
| Back to top |
|
|
|
| Allen Kistler... |
| Posted: Mon May 25, 2009 2:39 pm |
|
|
|
Guest
|
Carlos Moreno wrote:
Quote: I just tried a port scan on one of my machines (Ubuntu desktop, but
working as a file server (Samba) inside my home LAN), and am
surprised and worried to see that it is listening on ports 48038 and
50075.
Rings a bell to anyone? Any familiar rootkits / backdoors?
netstat -p -l | egrep "48038|50075" does not report a PID for port
48038 --- 50075 corresponds to rpc.statd, which I guess is related
to samba server? (my question is: why?) --- oh, here's the
exact output:
tcp 0 0 *:48038 *:*
LISTEN -
tcp 0 0 *:50075 *:*
LISTEN 5622/rpc.statd
A Google search returns nothing about malware using these
ports. Anyone?
rpc.statd is nfs, not smb.
Chances are that 48038 is lockd, which is a kernel module and,
therefore, has no pid.
As root on that machine, try "rpcinfo -p" and see if that helps explain
things for you.
Finally, if you're not using nfs, you can always turn it off. Ditto for
any other service you're running and not using. smb is not built on
nfs. It's totally independent. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Tue Dec 08, 2009 8:10 pm
|
|