[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] strange: Open Ports, not owned by processes, SuSe 9.1



Markus Gerke wrote:
Dear list!

I encountered a strange behaviour of my 9.1-Installation.
The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.

Here is the netstat -atp output right after boot (runlevel 3):

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd

That is OK, but after approx. 10 min. an additional port is open:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN - tcp 0 0 *:967 *:* LISTEN 4602/ypbind tcp 0 0 ipi230.ipi.:netbios-ssn *:* LISTEN 5260/smbd tcp 0 0 *:sunrpc *:* LISTEN 4403/portmap tcp 0 0 ipi230.ipi:microsoft-ds *:* LISTEN 5260/smbd tcp 0 0 *:ssh *:* LISTEN 4576/sshd

There is no process assigned to 1024.

I checked the system with chkrootkit and rkhunter, both negative.
Do you know this behaviour? Is this a backdoor?

Before I encountered this problem the system was permanently running in runlevel 5, also runninng CUPS. Perhaps this has something to do with the vulnerability solved with the patch from Sept. 15?


Try running `lsof | grep LISTEN`. It's basically the same as the netstat, but starting from the other direction.

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here