Re: port mapping and lsof

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



gary artim wrote:
On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks@xxxxxxxx> wrote:
gary artim wrote:
Hi --

Periodically I get a connection between 2 host on port 1000. netstat,
shown  below, but lsof, when executed like --

/usr/sbin/lsof  -i TCP:1000

-- shows nothing. If i execute --

/usr/sbin/lsof -i -nP

I get nada, see below. Anyone know what or how I can establish what
this connection is? I am running nfs between
the two machines. Much thanks!

-- Gary

#  netstat -nat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
    State
tcp        0      0 0.0.0.0:111                 0.0.0.0:*
    LISTEN
tcp        0      0 0.0.0.0:22                  0.0.0.0:*
    LISTEN
tcp        0      0 0.0.0.0:46774               0.0.0.0:*
    LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*
    LISTEN
tcp        0      0 0.0.0.0:25                  0.0.0.0:*
    LISTEN
tcp        0      0 0.0.0.0:34393               0.0.0.0:*
    LISTEN
tcp        0      0 127.0.0.1:6010              0.0.0.0:*
    LISTEN
tcp        0      0 127.0.0.1:6011              0.0.0.0:*
    LISTEN
tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
    ESTABLISHED       ( ### the connection ### )
tcp        0      0 127.0.0.1:25                127.0.0.1:44486
    TIME_WAIT
tcp        0      0 192.168.1.2:991             192.168.1.1:2049
    ESTABLISHED
tcp        0      0 :::22                       :::*
    LISTEN
tcp        0      0 :::25                       :::*
    LISTEN
tcp        0      0 ::1:6010                    :::*
    LISTEN
tcp        0      0 ::1:6011                    :::*
    LISTEN


# /usr/sbin/lsof -i -nP
COMMAND     PID     USER   FD   TYPE DEVICE SIZE NODE NAME
rpcbind    1834      rpc    6u  IPv4   3898       UDP *:111
rpcbind    1834      rpc    7u  IPv4   3902       UDP *:737
rpcbind    1834      rpc    8u  IPv4   3903       TCP *:111 (LISTEN)
rpc.statd  1853  rpcuser    6u  IPv4   3953       UDP *:757
rpc.statd  1853  rpcuser    8u  IPv4   3971       UDP *:40228
rpc.statd  1853  rpcuser    9u  IPv4   3974       TCP *:34393 (LISTEN)
sshd       2182     root    3u  IPv4   4954       TCP *:22 (LISTEN)
sshd       2182     root    4u  IPv6   4956       TCP *:22 (LISTEN)
ntpd       2190      ntp   16u  IPv4   4988       UDP *:123
ntpd       2190      ntp   17u  IPv6   4989       UDP *:123
ntpd       2190      ntp   18u  IPv6   4993       UDP
[fe80::218:f3ff:fef6:3378]:123
ntpd       2190      ntp   19u  IPv6   4994       UDP [::1]:123
ntpd       2190      ntp   20u  IPv6   4995       UDP
[fe80::218:f3ff:fef6:340e]:123
ntpd       2190      ntp   21u  IPv4   4996       UDP 127.0.0.1:123
ntpd       2190      ntp   22u  IPv4   4997       UDP 128.32.10.135:123
ntpd       2190      ntp   23u  IPv4   4998       UDP 192.168.1.2:123
avahi-dae  2243    avahi   14u  IPv4   5213       UDP *:5353
avahi-dae  2243    avahi   15u  IPv4   5214       UDP *:54663
cupsd      2252     root    4u  IPv4   5251       TCP 127.0.0.1:631
(LISTEN)
cupsd      2252     root    6u  IPv4   5254       UDP *:631
master     2428     root   12u  IPv4   5775       TCP *:25 (LISTEN)
master     2428     root   13u  IPv6   5777       TCP *:25 (LISTEN)
....
smtpd     29092  postfix    6u  IPv4   5775       TCP *:25 (LISTEN)
smtpd     29092  postfix    7u  IPv6   5777       TCP *:25 (LISTEN)
smtp      29173  postfix   12u  IPv4 473909       TCP
xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)

When that occurs, try "netstat -pn | grep :1000" and you should see
which program is doing it.  According to /etc/services, port 1000
is "cadlock2".  Other sources say this may be caused by a trojan.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-            We look for things.  Things that make us go!            -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


Thanks, I tried that (happened to notice the -p option) and get:

tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
     ESTABLISHED -
tcp        0      0 128.32.10.135:22            75.37.17.46:1057
     ESTABLISHED 29271/sshd: gartim
tcp        0      0 192.168.1.2:991             192.168.1.1:2049
     ESTABLISHED -

no program listed. I also get it on 2049, an nfs port. Is it possibly
an nfs connection?

That's possible.  You might try to capture a tcpdump of the traffic
in a file and examine it to see what's going on.  Something like:

	tcpdump -s 1500 -X tcp port 1000 >/tmp/tcpdump.txt

which will do it in hex and ASCII and you can look at with an editor, or

	tcpdump -s 1500 -w /tmp/tcpdump.dat tcp port 1000

to capture it in binary and you can look at the data in /tmp/tcpdump.dat
with wireshark later.

Just a couple of ideas.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-    Admitting you have a problem is the first step toward getting   -
-    medicated for it.      -- Jim Evarts (http://www.TopFive.com)   -
----------------------------------------------------------------------

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux