port mapping and lsof
Rick Stevens
ricks at nerd.com
Thu Nov 13 21:27:31 UTC 2008
gary artim wrote:
> On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks at nerd.com> wrote:
>> gary artim wrote:
>>> Hi --
>>>
>>> Periodically I get a connection between 2 host on port 1000. netstat,
>>> shown below, but lsof, when executed like --
>>>
>>> /usr/sbin/lsof -i TCP:1000
>>>
>>> -- shows nothing. If i execute --
>>>
>>> /usr/sbin/lsof -i -nP
>>>
>>> I get nada, see below. Anyone know what or how I can establish what
>>> this connection is? I am running nfs between
>>> the two machines. Much thanks!
>>>
>>> -- Gary
>>>
>>> # netstat -nat
>>> Active Internet connections (servers and established)
>>> Proto Recv-Q Send-Q Local Address Foreign Address
>>> State
>>> tcp 0 0 0.0.0.0:111 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 0.0.0.0:46774 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 127.0.0.1:631 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 0.0.0.0:25 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 0.0.0.0:34393 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 127.0.0.1:6010 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 127.0.0.1:6011 0.0.0.0:*
>>> LISTEN
>>> tcp 0 0 192.168.1.2:1000 192.168.1.1:59903
>>> ESTABLISHED ( ### the connection ### )
>>> tcp 0 0 127.0.0.1:25 127.0.0.1:44486
>>> TIME_WAIT
>>> tcp 0 0 192.168.1.2:991 192.168.1.1:2049
>>> ESTABLISHED
>>> tcp 0 0 :::22 :::*
>>> LISTEN
>>> tcp 0 0 :::25 :::*
>>> LISTEN
>>> tcp 0 0 ::1:6010 :::*
>>> LISTEN
>>> tcp 0 0 ::1:6011 :::*
>>> LISTEN
>>>
>>>
>>> # /usr/sbin/lsof -i -nP
>>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>>> rpcbind 1834 rpc 6u IPv4 3898 UDP *:111
>>> rpcbind 1834 rpc 7u IPv4 3902 UDP *:737
>>> rpcbind 1834 rpc 8u IPv4 3903 TCP *:111 (LISTEN)
>>> rpc.statd 1853 rpcuser 6u IPv4 3953 UDP *:757
>>> rpc.statd 1853 rpcuser 8u IPv4 3971 UDP *:40228
>>> rpc.statd 1853 rpcuser 9u IPv4 3974 TCP *:34393 (LISTEN)
>>> sshd 2182 root 3u IPv4 4954 TCP *:22 (LISTEN)
>>> sshd 2182 root 4u IPv6 4956 TCP *:22 (LISTEN)
>>> ntpd 2190 ntp 16u IPv4 4988 UDP *:123
>>> ntpd 2190 ntp 17u IPv6 4989 UDP *:123
>>> ntpd 2190 ntp 18u IPv6 4993 UDP
>>> [fe80::218:f3ff:fef6:3378]:123
>>> ntpd 2190 ntp 19u IPv6 4994 UDP [::1]:123
>>> ntpd 2190 ntp 20u IPv6 4995 UDP
>>> [fe80::218:f3ff:fef6:340e]:123
>>> ntpd 2190 ntp 21u IPv4 4996 UDP 127.0.0.1:123
>>> ntpd 2190 ntp 22u IPv4 4997 UDP 128.32.10.135:123
>>> ntpd 2190 ntp 23u IPv4 4998 UDP 192.168.1.2:123
>>> avahi-dae 2243 avahi 14u IPv4 5213 UDP *:5353
>>> avahi-dae 2243 avahi 15u IPv4 5214 UDP *:54663
>>> cupsd 2252 root 4u IPv4 5251 TCP 127.0.0.1:631
>>> (LISTEN)
>>> cupsd 2252 root 6u IPv4 5254 UDP *:631
>>> master 2428 root 12u IPv4 5775 TCP *:25 (LISTEN)
>>> master 2428 root 13u IPv6 5777 TCP *:25 (LISTEN)
>>> ....
>>> smtpd 29092 postfix 6u IPv4 5775 TCP *:25 (LISTEN)
>>> smtpd 29092 postfix 7u IPv6 5777 TCP *:25 (LISTEN)
>>> smtp 29173 postfix 12u IPv4 473909 TCP
>>> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)
>>>
>> When that occurs, try "netstat -pn | grep :1000" and you should see
>> which program is doing it. According to /etc/services, port 1000
>> is "cadlock2". Other sources say this may be caused by a trojan.
>> ----------------------------------------------------------------------
>> - Rick Stevens, Systems Engineer ricks at nerd.com -
>> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
>> - -
>> - We look for things. Things that make us go! -
>> ----------------------------------------------------------------------
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>
> Hi Steve --
>
> Ok, I figured it out. I did both a netstat -pnat and rpcinfo -p on
> both machines and the ports match to the nfs nlockmgr. (see below),
> thanks much for your help!
>
> -- Gary
>
>
> # netstat -pnat && /usr/sbin/rpcinfo -p
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN 1834/rpcbind
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 2182/sshd
> tcp 0 0 0.0.0.0:46774 0.0.0.0:*
> LISTEN -
> tcp 0 0 127.0.0.1:631 0.0.0.0:*
> LISTEN 2252/cupsd
> tcp 0 0 0.0.0.0:25 0.0.0.0:*
> LISTEN 2428/master
> tcp 0 0 0.0.0.0:34393 0.0.0.0:*
> LISTEN 1853/rpc.statd
> tcp 0 0 127.0.0.1:6010 0.0.0.0:*
> LISTEN 27926/4
> tcp 0 0 127.0.0.1:6011 0.0.0.0:*
> LISTEN 28065/5
> ....
> tcp 0 0 192.168.1.2:1000 192.168.1.1:59903
> ESTABLISHED -
> tcp 0 0 192.168.1.2:33699 192.168.1.1:111
> TIME_WAIT -
> tcp 0 0 192.168.1.2:991 192.168.1.1:2049
> ESTABLISHED -
> tcp 0 0 :::22 :::*
> LISTEN 2182/sshd
> tcp 0 0 :::25 :::*
> LISTEN 2428/master
> tcp 0 0 ::1:6010 :::*
> LISTEN 27926/4
> tcp 0 0 ::1:6011 :::*
> LISTEN 28065/5
> program vers proto port service
> 100000 4 tcp 111 portmapper
> 100000 3 tcp 111 portmapper
> 100000 2 tcp 111 portmapper
> 100000 4 udp 111 portmapper
> 100000 3 udp 111 portmapper
> 100000 2 udp 111 portmapper
> 100000 4 0 111 portmapper
> 100000 3 0 111 portmapper
> 100000 2 0 111 portmapper
> 100024 1 udp 40228 status
> 100024 1 tcp 34393 status
> 100021 1 tcp 46774 nlockmgr
> 100021 3 tcp 46774 nlockmgr
> 100021 4 tcp 46774 nlockmgr
> # netstat -pnat && /usr/sbin/rpcinfo -p
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
> tcp 0 0 0.0.0.0:2049 0.0.0.0:*
> LISTEN -
> tcp 0 0 0.0.0.0:3306 0.0.0.0:*
> LISTEN 2944/mysqld
> tcp 0 0 0.0.0.0:875 0.0.0.0:*
> LISTEN 2811/rpc.rquotad
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN 2457/rpcbind
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN 2787/sshd
> tcp 0 0 127.0.0.1:631 0.0.0.0:*
> LISTEN 3074/cupsd
> tcp 0 0 0.0.0.0:45847 0.0.0.0:*
> LISTEN 2476/rpc.statd
> tcp 0 0 127.0.0.1:25 0.0.0.0:*
> LISTEN 2979/sendmail: acce
> tcp 0 0 127.0.0.1:6010 0.0.0.0:*
> LISTEN 25476/3
> tcp 0 0 127.0.0.1:6011 0.0.0.0:*
> LISTEN 25724/4
> tcp 0 0 127.0.0.1:6012 0.0.0.0:*
> LISTEN 26005/6
> tcp 0 0 0.0.0.0:47967 0.0.0.0:*
> LISTEN 2858/rpc.mountd
> tcp 0 0 0.0.0.0:59903 0.0.0.0:*
> LISTEN -
> ...
> tcp 0 0 192.168.1.1:2049 192.168.1.2:991
> ESTABLISHED -
> tcp 0 0 127.0.0.1:37844 127.0.0.1:139
> ESTABLISHED 25476/3
> tcp 0 0 192.168.1.1:59903 192.168.1.2:1000
> ESTABLISHED -
> tcp 0 0 :::139 :::*
> LISTEN 3048/smbd
> tcp 0 0 :::80 :::*
> LISTEN 3010/httpd
> tcp 0 0 :::22 :::*
> LISTEN 2787/sshd
> tcp 0 0 ::1:6010 :::*
> LISTEN 25476/3
> tcp 0 0 ::1:6011 :::*
> LISTEN 25724/4
> tcp 0 0 :::443 :::*
> LISTEN 3010/httpd
> tcp 0 0 ::1:6012 :::*
> LISTEN 26005/6
> tcp 0 0 :::4444 :::*
> LISTEN 3010/httpd
> tcp 0 0 :::445 :::*
> LISTEN 3048/smbd
> ....
> program vers proto port service
> 100000 4 tcp 111 portmapper
> 100000 3 tcp 111 portmapper
> 100000 2 tcp 111 portmapper
> 100000 4 udp 111 portmapper
> 100000 3 udp 111 portmapper
> 100000 2 udp 111 portmapper
> 100000 4 0 111 portmapper
> 100000 3 0 111 portmapper
> 100000 2 0 111 portmapper
> 100024 1 udp 37582 status
> 100024 1 tcp 45847 status
> 100011 1 udp 875 rquotad
> 100011 2 udp 875 rquotad
> 100011 1 tcp 875 rquotad
> 100011 2 tcp 875 rquotad
> 100021 1 udp 57603 nlockmgr
> 100021 3 udp 57603 nlockmgr
> 100021 4 udp 57603 nlockmgr
> 100003 2 udp 2049 nfs
> 100003 3 udp 2049 nfs
> 100003 4 udp 2049 nfs
> 100021 1 tcp 59903 nlockmgr
> 100021 3 tcp 59903 nlockmgr
> 100021 4 tcp 59903 nlockmgr
> 100003 2 tcp 2049 nfs
> 100003 3 tcp 2049 nfs
> 100003 4 tcp 2049 nfs
> 100005 1 udp 50476 mountd
> 100005 1 tcp 47967 mountd
> 100005 2 udp 50476 mountd
> 100005 2 tcp 47967 mountd
> 100005 3 udp 50476 mountd
> 100005 3 tcp 47967 mountd
I see. Rather convoluted to find that, but good job!
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Do you know where _your_ towel is? -
----------------------------------------------------------------------
More information about the fedora-list
mailing list