port mapping and lsof
gary artim
gartim at gmail.com
Thu Nov 13 19:18:09 UTC 2008
On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks at nerd.com> wrote:
> gary artim wrote:
>>
>> Hi --
>>
>> Periodically I get a connection between 2 host on port 1000. netstat,
>> shown below, but lsof, when executed like --
>>
>> /usr/sbin/lsof -i TCP:1000
>>
>> -- shows nothing. If i execute --
>>
>> /usr/sbin/lsof -i -nP
>>
>> I get nada, see below. Anyone know what or how I can establish what
>> this connection is? I am running nfs between
>> the two machines. Much thanks!
>>
>> -- Gary
>>
>> # netstat -nat
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address Foreign Address
>> State
>> tcp 0 0 0.0.0.0:111 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:46774 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:631 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:25 0.0.0.0:*
>> LISTEN
>> tcp 0 0 0.0.0.0:34393 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:6010 0.0.0.0:*
>> LISTEN
>> tcp 0 0 127.0.0.1:6011 0.0.0.0:*
>> LISTEN
>> tcp 0 0 192.168.1.2:1000 192.168.1.1:59903
>> ESTABLISHED ( ### the connection ### )
>> tcp 0 0 127.0.0.1:25 127.0.0.1:44486
>> TIME_WAIT
>> tcp 0 0 192.168.1.2:991 192.168.1.1:2049
>> ESTABLISHED
>> tcp 0 0 :::22 :::*
>> LISTEN
>> tcp 0 0 :::25 :::*
>> LISTEN
>> tcp 0 0 ::1:6010 :::*
>> LISTEN
>> tcp 0 0 ::1:6011 :::*
>> LISTEN
>>
>>
>> # /usr/sbin/lsof -i -nP
>> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
>> rpcbind 1834 rpc 6u IPv4 3898 UDP *:111
>> rpcbind 1834 rpc 7u IPv4 3902 UDP *:737
>> rpcbind 1834 rpc 8u IPv4 3903 TCP *:111 (LISTEN)
>> rpc.statd 1853 rpcuser 6u IPv4 3953 UDP *:757
>> rpc.statd 1853 rpcuser 8u IPv4 3971 UDP *:40228
>> rpc.statd 1853 rpcuser 9u IPv4 3974 TCP *:34393 (LISTEN)
>> sshd 2182 root 3u IPv4 4954 TCP *:22 (LISTEN)
>> sshd 2182 root 4u IPv6 4956 TCP *:22 (LISTEN)
>> ntpd 2190 ntp 16u IPv4 4988 UDP *:123
>> ntpd 2190 ntp 17u IPv6 4989 UDP *:123
>> ntpd 2190 ntp 18u IPv6 4993 UDP
>> [fe80::218:f3ff:fef6:3378]:123
>> ntpd 2190 ntp 19u IPv6 4994 UDP [::1]:123
>> ntpd 2190 ntp 20u IPv6 4995 UDP
>> [fe80::218:f3ff:fef6:340e]:123
>> ntpd 2190 ntp 21u IPv4 4996 UDP 127.0.0.1:123
>> ntpd 2190 ntp 22u IPv4 4997 UDP 128.32.10.135:123
>> ntpd 2190 ntp 23u IPv4 4998 UDP 192.168.1.2:123
>> avahi-dae 2243 avahi 14u IPv4 5213 UDP *:5353
>> avahi-dae 2243 avahi 15u IPv4 5214 UDP *:54663
>> cupsd 2252 root 4u IPv4 5251 TCP 127.0.0.1:631
>> (LISTEN)
>> cupsd 2252 root 6u IPv4 5254 UDP *:631
>> master 2428 root 12u IPv4 5775 TCP *:25 (LISTEN)
>> master 2428 root 13u IPv6 5777 TCP *:25 (LISTEN)
>> ....
>> smtpd 29092 postfix 6u IPv4 5775 TCP *:25 (LISTEN)
>> smtpd 29092 postfix 7u IPv6 5777 TCP *:25 (LISTEN)
>> smtp 29173 postfix 12u IPv4 473909 TCP
>> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)
>>
>
> When that occurs, try "netstat -pn | grep :1000" and you should see
> which program is doing it. According to /etc/services, port 1000
> is "cadlock2". Other sources say this may be caused by a trojan.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer ricks at nerd.com -
> - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
> - -
> - We look for things. Things that make us go! -
> ----------------------------------------------------------------------
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Thanks, I tried that (happened to notice the -p option) and get:
tcp 0 0 192.168.1.2:1000 192.168.1.1:59903
ESTABLISHED -
tcp 0 0 128.32.10.135:22 75.37.17.46:1057
ESTABLISHED 29271/sshd: gartim
tcp 0 0 192.168.1.2:991 192.168.1.1:2049
ESTABLISHED -
no program listed. I also get it on 2049, an nfs port. Is it possibly
an nfs connection?
thanks, -- Gary
More information about the fedora-list
mailing list