port mapping and lsof
Rick Stevens
ricks at nerd.com
Thu Nov 13 18:44:18 UTC 2008
gary artim wrote:
> Hi --
>
> Periodically I get a connection between 2 host on port 1000. netstat,
> shown below, but lsof, when executed like --
>
> /usr/sbin/lsof -i TCP:1000
>
> -- shows nothing. If i execute --
>
> /usr/sbin/lsof -i -nP
>
> I get nada, see below. Anyone know what or how I can establish what
> this connection is? I am running nfs between
> the two machines. Much thanks!
>
> -- Gary
>
> # netstat -nat
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State
> tcp 0 0 0.0.0.0:111 0.0.0.0:*
> LISTEN
> tcp 0 0 0.0.0.0:22 0.0.0.0:*
> LISTEN
> tcp 0 0 0.0.0.0:46774 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:631 0.0.0.0:*
> LISTEN
> tcp 0 0 0.0.0.0:25 0.0.0.0:*
> LISTEN
> tcp 0 0 0.0.0.0:34393 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:6010 0.0.0.0:*
> LISTEN
> tcp 0 0 127.0.0.1:6011 0.0.0.0:*
> LISTEN
> tcp 0 0 192.168.1.2:1000 192.168.1.1:59903
> ESTABLISHED ( ### the connection ### )
> tcp 0 0 127.0.0.1:25 127.0.0.1:44486
> TIME_WAIT
> tcp 0 0 192.168.1.2:991 192.168.1.1:2049
> ESTABLISHED
> tcp 0 0 :::22 :::*
> LISTEN
> tcp 0 0 :::25 :::*
> LISTEN
> tcp 0 0 ::1:6010 :::*
> LISTEN
> tcp 0 0 ::1:6011 :::*
> LISTEN
>
>
> # /usr/sbin/lsof -i -nP
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> rpcbind 1834 rpc 6u IPv4 3898 UDP *:111
> rpcbind 1834 rpc 7u IPv4 3902 UDP *:737
> rpcbind 1834 rpc 8u IPv4 3903 TCP *:111 (LISTEN)
> rpc.statd 1853 rpcuser 6u IPv4 3953 UDP *:757
> rpc.statd 1853 rpcuser 8u IPv4 3971 UDP *:40228
> rpc.statd 1853 rpcuser 9u IPv4 3974 TCP *:34393 (LISTEN)
> sshd 2182 root 3u IPv4 4954 TCP *:22 (LISTEN)
> sshd 2182 root 4u IPv6 4956 TCP *:22 (LISTEN)
> ntpd 2190 ntp 16u IPv4 4988 UDP *:123
> ntpd 2190 ntp 17u IPv6 4989 UDP *:123
> ntpd 2190 ntp 18u IPv6 4993 UDP
> [fe80::218:f3ff:fef6:3378]:123
> ntpd 2190 ntp 19u IPv6 4994 UDP [::1]:123
> ntpd 2190 ntp 20u IPv6 4995 UDP
> [fe80::218:f3ff:fef6:340e]:123
> ntpd 2190 ntp 21u IPv4 4996 UDP 127.0.0.1:123
> ntpd 2190 ntp 22u IPv4 4997 UDP 128.32.10.135:123
> ntpd 2190 ntp 23u IPv4 4998 UDP 192.168.1.2:123
> avahi-dae 2243 avahi 14u IPv4 5213 UDP *:5353
> avahi-dae 2243 avahi 15u IPv4 5214 UDP *:54663
> cupsd 2252 root 4u IPv4 5251 TCP 127.0.0.1:631 (LISTEN)
> cupsd 2252 root 6u IPv4 5254 UDP *:631
> master 2428 root 12u IPv4 5775 TCP *:25 (LISTEN)
> master 2428 root 13u IPv6 5777 TCP *:25 (LISTEN)
> ....
> smtpd 29092 postfix 6u IPv4 5775 TCP *:25 (LISTEN)
> smtpd 29092 postfix 7u IPv6 5777 TCP *:25 (LISTEN)
> smtp 29173 postfix 12u IPv4 473909 TCP
> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)
>
When that occurs, try "netstat -pn | grep :1000" and you should see
which program is doing it. According to /etc/services, port 1000
is "cadlock2". Other sources say this may be caused by a trojan.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- We look for things. Things that make us go! -
----------------------------------------------------------------------
More information about the fedora-list
mailing list