port mapping and lsof

gary artim gartim at gmail.com
Thu Nov 13 19:18:09 UTC 2008


On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks at nerd.com> wrote:
> gary artim wrote:
>>
>> Hi --
>>
>> Periodically I get a connection between 2 host on port 1000. netstat,
>> shown  below, but lsof, when executed like --
>>
>> /usr/sbin/lsof  -i TCP:1000
>>
>> -- shows nothing. If i execute --
>>
>> /usr/sbin/lsof -i -nP
>>
>> I get nada, see below. Anyone know what or how I can establish what
>> this connection is? I am running nfs between
>> the two machines. Much thanks!
>>
>> -- Gary
>>
>> #  netstat -nat
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address               Foreign Address
>>     State
>> tcp        0      0 0.0.0.0:111                 0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:22                  0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:46774               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:631               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:25                  0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:34393               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:6010              0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:6011              0.0.0.0:*
>>     LISTEN
>> tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
>>     ESTABLISHED       ( ### the connection ### )
>> tcp        0      0 127.0.0.1:25                127.0.0.1:44486
>>     TIME_WAIT
>> tcp        0      0 192.168.1.2:991             192.168.1.1:2049
>>     ESTABLISHED
>> tcp        0      0 :::22                       :::*
>>     LISTEN
>> tcp        0      0 :::25                       :::*
>>     LISTEN
>> tcp        0      0 ::1:6010                    :::*
>>     LISTEN
>> tcp        0      0 ::1:6011                    :::*
>>     LISTEN
>>
>>
>> # /usr/sbin/lsof -i -nP
>> COMMAND     PID     USER   FD   TYPE DEVICE SIZE NODE NAME
>> rpcbind    1834      rpc    6u  IPv4   3898       UDP *:111
>> rpcbind    1834      rpc    7u  IPv4   3902       UDP *:737
>> rpcbind    1834      rpc    8u  IPv4   3903       TCP *:111 (LISTEN)
>> rpc.statd  1853  rpcuser    6u  IPv4   3953       UDP *:757
>> rpc.statd  1853  rpcuser    8u  IPv4   3971       UDP *:40228
>> rpc.statd  1853  rpcuser    9u  IPv4   3974       TCP *:34393 (LISTEN)
>> sshd       2182     root    3u  IPv4   4954       TCP *:22 (LISTEN)
>> sshd       2182     root    4u  IPv6   4956       TCP *:22 (LISTEN)
>> ntpd       2190      ntp   16u  IPv4   4988       UDP *:123
>> ntpd       2190      ntp   17u  IPv6   4989       UDP *:123
>> ntpd       2190      ntp   18u  IPv6   4993       UDP
>> [fe80::218:f3ff:fef6:3378]:123
>> ntpd       2190      ntp   19u  IPv6   4994       UDP [::1]:123
>> ntpd       2190      ntp   20u  IPv6   4995       UDP
>> [fe80::218:f3ff:fef6:340e]:123
>> ntpd       2190      ntp   21u  IPv4   4996       UDP 127.0.0.1:123
>> ntpd       2190      ntp   22u  IPv4   4997       UDP 128.32.10.135:123
>> ntpd       2190      ntp   23u  IPv4   4998       UDP 192.168.1.2:123
>> avahi-dae  2243    avahi   14u  IPv4   5213       UDP *:5353
>> avahi-dae  2243    avahi   15u  IPv4   5214       UDP *:54663
>> cupsd      2252     root    4u  IPv4   5251       TCP 127.0.0.1:631
>> (LISTEN)
>> cupsd      2252     root    6u  IPv4   5254       UDP *:631
>> master     2428     root   12u  IPv4   5775       TCP *:25 (LISTEN)
>> master     2428     root   13u  IPv6   5777       TCP *:25 (LISTEN)
>> ....
>> smtpd     29092  postfix    6u  IPv4   5775       TCP *:25 (LISTEN)
>> smtpd     29092  postfix    7u  IPv6   5777       TCP *:25 (LISTEN)
>> smtp      29173  postfix   12u  IPv4 473909       TCP
>> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)
>>
>
> When that occurs, try "netstat -pn | grep :1000" and you should see
> which program is doing it.  According to /etc/services, port 1000
> is "cadlock2".  Other sources say this may be caused by a trojan.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks at nerd.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -            We look for things.  Things that make us go!            -
> ----------------------------------------------------------------------
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


Thanks, I tried that (happened to notice the -p option) and get:

tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
     ESTABLISHED -
tcp        0      0 128.32.10.135:22            75.37.17.46:1057
     ESTABLISHED 29271/sshd: gartim
tcp        0      0 192.168.1.2:991             192.168.1.1:2049
     ESTABLISHED -

no program listed. I also get it on 2049, an nfs port. Is it possibly
an nfs connection?

thanks, -- Gary




More information about the fedora-list mailing list