[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: who owns the ports?

I find the netstat program to be much more useful and accurate than nmap
when determining what ports are doing what on your system.  For example:

# netstat -nlp | grep LISTEN
tcp        0      0   *               LISTEN
16891/lpd Waiting   
tcp        0      0*               LISTEN
tcp        0      0 *               LISTEN
tcp        0      0 *               LISTEN
tcp        0      0   *               LISTEN

It tells you what IP/port is bound, and the PID and name of the process
using it.  On occasion you will find an PID without a process name
attached to it, but you can easily figure this out with a ps list :)

If you start noticing major discrepancies between nmap and netstat
(ex. nmap shows port 666 open but netstat doesn't) you may be in for a bit
of trouble.  Rootkits will change system binaries such as netstat, ps, ls,
du, login, etc in order to hide certain processes.  If netstat or any
other critical binary has been compromised, then you maybe missing
something in the output.  This is a whole other matter, much more serious 
than a rogue fingerd ;)


On Wed, 7 Feb 2001, Matthias G. Imhof wrote:

> Performing strobe or nmap on my system, I get, e.g., the following list:
> 79/tcp     open        finger                  
> 119/tcp    open        nntp                    
> 143/tcp    open        imap2                   
> 540/tcp    open        uucp                    
> 6667/tcp   open        irc                     
> 12345/tcp  open        NetBus                  
> 12346/tcp  open        NetBus                  
> 31337/tcp  open        Elite                   
> However, lsof -i tcp:79 yields nothing. Similarly with the others.
> In addition, there should be no irc running, finger is commented from the
> inetd.conf, and so on.
> Why do these ports respond to strobe or nmap? Which process controlls them?
> Matthias
> -- 
> **************************************************************************
> * Matthias G.Imhof, Ph.D.                          phone: (540) 231 6004 *
> * Derring Hall 4044                                fax:   (540) 231 3386 *
> * Virginia Tech                                        email: mgi@vt.edu *
> * Blacksburg, VA 24061-0420             http://www.geol.vt.edu/profs/mgi *
> * There is no dark side of the moon really. Matter of fact it's all dark *
> **************************************************************************
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: