[ale] Identfy source of open ports

Alex Carver agcarver+ale at acarver.net
Fri Jan 3 02:50:53 EST 2014 

Well, a reboot took care of whatever it was because there are no
unexpected open ports now.  Very peculiar but I didn't see any out of
the ordinary processes and I run a file system scan every night
(integrit) which didn't show any changes.

On 1/2/2014 22:55, Alex Carver wrote:
> Ok, even stranger.  Watching the wireshark transactions, I am able to
> send four bytes to this port.  After four bytes the connection is closed
> on the server end.  I can't see any valid data coming back from the
> port, most of it is just TCP SYNs and ACKs.  There doesn't appear to be
> any data coming back (wireshark shows no data attached to any return
> packet and all the returns are ACK and FIN packets).  If I connect a few
> more times I start to receive RST packets instead.
> 
> There's a UDP port 38501 that's also open with no identifiable program.
>  That one echos anything I type as long as it's four bytes or less.
> 
> I've also shut down every service on the system and both ports are still
> open.  I'm thoroughly confused now.
> 
> On 1/2/2014 22:23, Alex Carver wrote:
>> Well, that clears up one port, 54906 is being used by rpc.statd (I've
>> got an NFS server running on that machine).  But the other port, 42865,
>> doesn't show up in the list.  However, it does respond to a connection
>> request from netcat and sending a simple carriage return causes a zero
>> byte response (well, zero payload bytes, only the TCP headers).  I can
>> send other random characters but it disconnects afterwards.  Very
>> peculiar.  I'm downloading wireshark now to sniff at it some more.  It
>> can get hard to read tcpdump.
>>
>>
>>
>> On 1/2/2014 22:11, Beddingfield, Allen wrote:
>>> Try "lsof -l -P|grep LISTEN"  on the system with those ports open.
>>>
>>> Allen B.
>>> --
>>> Allen Beddingfield
>>> Systems Engineer
>>> The University of Alabama
>>>
>>> ________________________________________
>>> From: ale-bounces at ale.org [ale-bounces at ale.org] on behalf of Alex Carver [agcarver+ale at acarver.net]
>>> Sent: Thursday, January 02, 2014 11:49 PM
>>> To: Atlanta Linux Enthusiasts
>>> Subject: [ale] Identfy source of open ports
>>>
>>> It's a new year so on a whim I started nmaps of various machines and
>>> devices on my home network to see what was open and if anything I didn't
>>> know about popped up.
>>>
>>> One of my Debian boxes popped up with two ports out of the blue.  Port
>>> 42865 and 54906.  I don't know of any services running that use those
>>> ports.  Running netstat -ap doesn't show much either, it has a blank
>>> entry for the PID/Program name:
>>>
>>> Proto Recv-Q Send-Q Local Address    Foreign Address   State
>>> PID/Program name
>>>
>>> tcp        0      0 *:42865            *:*         LISTEN      -
>>> tcp        0      0 *:54906            *:*         LISTEN      -
>>>
>>> Anything else I can use to try and ferret out what it is that is
>>> listening on these ports?  Neither port is accessible from the outside
>>> world due to a firewall.  A scan of two other Debian shows mostly ok
>>> (expected services) though one shows port 779 open in listen mode but
>>> again with no PID, and the other machine shows 31599 (also not accessible).
>>>
>>> Searching online for those particular ports doesn't provide any useful
>>> information (779 claims one use is for NetInfo on OS X but that machine
>>> is not a Mac).
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 
>

More information about the Ale mailing list