Re: port mapping and lsof

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks@xxxxxxxx> wrote:
> gary artim wrote:
>>
>> Hi --
>>
>> Periodically I get a connection between 2 host on port 1000. netstat,
>> shown  below, but lsof, when executed like --
>>
>> /usr/sbin/lsof  -i TCP:1000
>>
>> -- shows nothing. If i execute --
>>
>> /usr/sbin/lsof -i -nP
>>
>> I get nada, see below. Anyone know what or how I can establish what
>> this connection is? I am running nfs between
>> the two machines. Much thanks!
>>
>> -- Gary
>>
>> #  netstat -nat
>> Active Internet connections (servers and established)
>> Proto Recv-Q Send-Q Local Address               Foreign Address
>>     State
>> tcp        0      0 0.0.0.0:111                 0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:22                  0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:46774               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:631               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:25                  0.0.0.0:*
>>     LISTEN
>> tcp        0      0 0.0.0.0:34393               0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:6010              0.0.0.0:*
>>     LISTEN
>> tcp        0      0 127.0.0.1:6011              0.0.0.0:*
>>     LISTEN
>> tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
>>     ESTABLISHED       ( ### the connection ### )
>> tcp        0      0 127.0.0.1:25                127.0.0.1:44486
>>     TIME_WAIT
>> tcp        0      0 192.168.1.2:991             192.168.1.1:2049
>>     ESTABLISHED
>> tcp        0      0 :::22                       :::*
>>     LISTEN
>> tcp        0      0 :::25                       :::*
>>     LISTEN
>> tcp        0      0 ::1:6010                    :::*
>>     LISTEN
>> tcp        0      0 ::1:6011                    :::*
>>     LISTEN
>>
>>
>> # /usr/sbin/lsof -i -nP
>> COMMAND     PID     USER   FD   TYPE DEVICE SIZE NODE NAME
>> rpcbind    1834      rpc    6u  IPv4   3898       UDP *:111
>> rpcbind    1834      rpc    7u  IPv4   3902       UDP *:737
>> rpcbind    1834      rpc    8u  IPv4   3903       TCP *:111 (LISTEN)
>> rpc.statd  1853  rpcuser    6u  IPv4   3953       UDP *:757
>> rpc.statd  1853  rpcuser    8u  IPv4   3971       UDP *:40228
>> rpc.statd  1853  rpcuser    9u  IPv4   3974       TCP *:34393 (LISTEN)
>> sshd       2182     root    3u  IPv4   4954       TCP *:22 (LISTEN)
>> sshd       2182     root    4u  IPv6   4956       TCP *:22 (LISTEN)
>> ntpd       2190      ntp   16u  IPv4   4988       UDP *:123
>> ntpd       2190      ntp   17u  IPv6   4989       UDP *:123
>> ntpd       2190      ntp   18u  IPv6   4993       UDP
>> [fe80::218:f3ff:fef6:3378]:123
>> ntpd       2190      ntp   19u  IPv6   4994       UDP [::1]:123
>> ntpd       2190      ntp   20u  IPv6   4995       UDP
>> [fe80::218:f3ff:fef6:340e]:123
>> ntpd       2190      ntp   21u  IPv4   4996       UDP 127.0.0.1:123
>> ntpd       2190      ntp   22u  IPv4   4997       UDP 128.32.10.135:123
>> ntpd       2190      ntp   23u  IPv4   4998       UDP 192.168.1.2:123
>> avahi-dae  2243    avahi   14u  IPv4   5213       UDP *:5353
>> avahi-dae  2243    avahi   15u  IPv4   5214       UDP *:54663
>> cupsd      2252     root    4u  IPv4   5251       TCP 127.0.0.1:631
>> (LISTEN)
>> cupsd      2252     root    6u  IPv4   5254       UDP *:631
>> master     2428     root   12u  IPv4   5775       TCP *:25 (LISTEN)
>> master     2428     root   13u  IPv6   5777       TCP *:25 (LISTEN)
>> ....
>> smtpd     29092  postfix    6u  IPv4   5775       TCP *:25 (LISTEN)
>> smtpd     29092  postfix    7u  IPv6   5777       TCP *:25 (LISTEN)
>> smtp      29173  postfix   12u  IPv4 473909       TCP
>> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED)
>>
>
> When that occurs, try "netstat -pn | grep :1000" and you should see
> which program is doing it.  According to /etc/services, port 1000
> is "cadlock2".  Other sources say this may be caused by a trojan.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer                      ricks@xxxxxxxx -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -            We look for things.  Things that make us go!            -
> ----------------------------------------------------------------------
>
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
> Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>
Hi Steve --

Ok, I figured it out. I did both a netstat -pnat and rpcinfo -p on
both machines and the ports match to the nfs nlockmgr. (see below),
thanks much for your help!

-- Gary


# netstat -pnat &&  /usr/sbin/rpcinfo -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
     State       PID/Program name
tcp        0      0 0.0.0.0:111                 0.0.0.0:*
     LISTEN      1834/rpcbind
tcp        0      0 0.0.0.0:22                  0.0.0.0:*
     LISTEN      2182/sshd
tcp        0      0 0.0.0.0:46774               0.0.0.0:*
     LISTEN      -
tcp        0      0 127.0.0.1:631               0.0.0.0:*
     LISTEN      2252/cupsd
tcp        0      0 0.0.0.0:25                  0.0.0.0:*
     LISTEN      2428/master
tcp        0      0 0.0.0.0:34393               0.0.0.0:*
     LISTEN      1853/rpc.statd
tcp        0      0 127.0.0.1:6010              0.0.0.0:*
     LISTEN      27926/4
tcp        0      0 127.0.0.1:6011              0.0.0.0:*
     LISTEN      28065/5
....
tcp        0      0 192.168.1.2:1000            192.168.1.1:59903
     ESTABLISHED -
tcp        0      0 192.168.1.2:33699           192.168.1.1:111
     TIME_WAIT   -
tcp        0      0 192.168.1.2:991             192.168.1.1:2049
     ESTABLISHED -
tcp        0      0 :::22                       :::*
     LISTEN      2182/sshd
tcp        0      0 :::25                       :::*
     LISTEN      2428/master
tcp        0      0 ::1:6010                    :::*
     LISTEN      27926/4
tcp        0      0 ::1:6011                    :::*
     LISTEN      28065/5
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100000    4     0    111  portmapper
    100000    3     0    111  portmapper
    100000    2     0    111  portmapper
    100024    1   udp  40228  status
    100024    1   tcp  34393  status
    100021    1   tcp  46774  nlockmgr
    100021    3   tcp  46774  nlockmgr
    100021    4   tcp  46774  nlockmgr
# netstat -pnat && /usr/sbin/rpcinfo -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address
     State       PID/Program name
tcp        0      0 0.0.0.0:2049                0.0.0.0:*
     LISTEN      -
tcp        0      0 0.0.0.0:3306                0.0.0.0:*
     LISTEN      2944/mysqld
tcp        0      0 0.0.0.0:875                 0.0.0.0:*
     LISTEN      2811/rpc.rquotad
tcp        0      0 0.0.0.0:111                 0.0.0.0:*
     LISTEN      2457/rpcbind
tcp        0      0 0.0.0.0:22                  0.0.0.0:*
     LISTEN      2787/sshd
tcp        0      0 127.0.0.1:631               0.0.0.0:*
     LISTEN      3074/cupsd
tcp        0      0 0.0.0.0:45847               0.0.0.0:*
     LISTEN      2476/rpc.statd
tcp        0      0 127.0.0.1:25                0.0.0.0:*
     LISTEN      2979/sendmail: acce
tcp        0      0 127.0.0.1:6010              0.0.0.0:*
     LISTEN      25476/3
tcp        0      0 127.0.0.1:6011              0.0.0.0:*
     LISTEN      25724/4
tcp        0      0 127.0.0.1:6012              0.0.0.0:*
     LISTEN      26005/6
tcp        0      0 0.0.0.0:47967               0.0.0.0:*
     LISTEN      2858/rpc.mountd
tcp        0      0 0.0.0.0:59903               0.0.0.0:*
     LISTEN      -
...
tcp        0      0 192.168.1.1:2049            192.168.1.2:991
     ESTABLISHED -
tcp        0      0 127.0.0.1:37844             127.0.0.1:139
     ESTABLISHED 25476/3
tcp        0      0 192.168.1.1:59903           192.168.1.2:1000
     ESTABLISHED -
tcp        0      0 :::139                      :::*
     LISTEN      3048/smbd
tcp        0      0 :::80                       :::*
     LISTEN      3010/httpd
tcp        0      0 :::22                       :::*
     LISTEN      2787/sshd
tcp        0      0 ::1:6010                    :::*
     LISTEN      25476/3
tcp        0      0 ::1:6011                    :::*
     LISTEN      25724/4
tcp        0      0 :::443                      :::*
     LISTEN      3010/httpd
tcp        0      0 ::1:6012                    :::*
     LISTEN      26005/6
tcp        0      0 :::4444                     :::*
     LISTEN      3010/httpd
tcp        0      0 :::445                      :::*
     LISTEN      3048/smbd
....
   program vers proto   port  service
    100000    4   tcp    111  portmapper
    100000    3   tcp    111  portmapper
    100000    2   tcp    111  portmapper
    100000    4   udp    111  portmapper
    100000    3   udp    111  portmapper
    100000    2   udp    111  portmapper
    100000    4     0    111  portmapper
    100000    3     0    111  portmapper
    100000    2     0    111  portmapper
    100024    1   udp  37582  status
    100024    1   tcp  45847  status
    100011    1   udp    875  rquotad
    100011    2   udp    875  rquotad
    100011    1   tcp    875  rquotad
    100011    2   tcp    875  rquotad
    100021    1   udp  57603  nlockmgr
    100021    3   udp  57603  nlockmgr
    100021    4   udp  57603  nlockmgr
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   tcp  59903  nlockmgr
    100021    3   tcp  59903  nlockmgr
    100021    4   tcp  59903  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp  50476  mountd
    100005    1   tcp  47967  mountd
    100005    2   udp  50476  mountd
    100005    2   tcp  47967  mountd
    100005    3   udp  50476  mountd
    100005    3   tcp  47967  mountd

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux