[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] strange: Open Ports, not owned by processes, SuSe 9.1

Kevin Brannen wrote:

Markus Gerke wrote:

Dear list!

I encountered a strange behaviour of my 9.1-Installation.
The system is listening to TCP-ports (for example 1024, 996) but I don't know which processes are assigned to it and I did not start a service.


That is OK, but after approx. 10 min. an additional port is open:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:1024 *:* LISTEN -


There is no process assigned to 1024.

I checked the system with chkrootkit and rkhunter, both negative.
Do you know this behaviour? Is this a backdoor?


lsof is your friend in cases like this (install it if it didn't get installed by default). Try:

lsof -Pn -i TCP:1024

Read the man page for it, it's a very useful command. :-)


I got the hint that these ports may be assigned by the portmapper ... that's it (rpcinfo -p)...

But: I still wonder why it uses "reserved" ports (according to /etc/services)...

Thanks for your help!

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here