Hi... I have a box with something listening to "flickering" ports. nmap reports various random ports open from run to run. I can't telnet to them and ID w/ netstat, because they're gone the instant nmap finds them. I can't see the culprit in the output of lsof. Does anyone here know what might be going on? If not, I might try writing a simple port scanner which leaves a connection open for netstat to track... TRANSCRIPT FOLLOWS: pde@xyz:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds pde@xyz:~$ # everything looks fine pde@xyz:~$ # all these are normal services, except 8080, which is a port pde@xyz:~$ # tunnelled by ssh pde@xyz:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 3920 open tcp unknown 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds pde@xyz:~$ # XXX something was listening on port 3920 pde@xyz:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 3537 open tcp unknown 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds pde@xyz:~$ # XXX now something was listening on port 3537 pde@xyz:~$ # XXX also note the "Strange read error" pde@xyz:~$ sudo lsof | gzip -c > lsof.gz # attached pde@xyz:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds pde@xyz:~$ # everything's clear again -- Peter Eckersley http://www.cs.mu.oz.au/~pde (pde@cs.mu.oz.au) TLI: http://www.computerbank.org.au <~~~~.sig temporarily conservative pending divine intervention~~~~> GPG fingerprint: 30BF 6A78 2013 DCFA 5985 E255 9D31 4A9A 7574 65BC
Attachment:
lsof.gz
Description: Binary data
Attachment:
pgpbwyB017JXH.pgp
Description: PGP signature