On Thu, Nov 13, 2008 at 10:44 AM, Rick Stevens <ricks@xxxxxxxx> wrote: > gary artim wrote: >> >> Hi -- >> >> Periodically I get a connection between 2 host on port 1000. netstat, >> shown below, but lsof, when executed like -- >> >> /usr/sbin/lsof -i TCP:1000 >> >> -- shows nothing. If i execute -- >> >> /usr/sbin/lsof -i -nP >> >> I get nada, see below. Anyone know what or how I can establish what >> this connection is? I am running nfs between >> the two machines. Much thanks! >> >> -- Gary >> >> # netstat -nat >> Active Internet connections (servers and established) >> Proto Recv-Q Send-Q Local Address Foreign Address >> State >> tcp 0 0 0.0.0.0:111 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:22 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:46774 0.0.0.0:* >> LISTEN >> tcp 0 0 127.0.0.1:631 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:25 0.0.0.0:* >> LISTEN >> tcp 0 0 0.0.0.0:34393 0.0.0.0:* >> LISTEN >> tcp 0 0 127.0.0.1:6010 0.0.0.0:* >> LISTEN >> tcp 0 0 127.0.0.1:6011 0.0.0.0:* >> LISTEN >> tcp 0 0 192.168.1.2:1000 192.168.1.1:59903 >> ESTABLISHED ( ### the connection ### ) >> tcp 0 0 127.0.0.1:25 127.0.0.1:44486 >> TIME_WAIT >> tcp 0 0 192.168.1.2:991 192.168.1.1:2049 >> ESTABLISHED >> tcp 0 0 :::22 :::* >> LISTEN >> tcp 0 0 :::25 :::* >> LISTEN >> tcp 0 0 ::1:6010 :::* >> LISTEN >> tcp 0 0 ::1:6011 :::* >> LISTEN >> >> >> # /usr/sbin/lsof -i -nP >> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME >> rpcbind 1834 rpc 6u IPv4 3898 UDP *:111 >> rpcbind 1834 rpc 7u IPv4 3902 UDP *:737 >> rpcbind 1834 rpc 8u IPv4 3903 TCP *:111 (LISTEN) >> rpc.statd 1853 rpcuser 6u IPv4 3953 UDP *:757 >> rpc.statd 1853 rpcuser 8u IPv4 3971 UDP *:40228 >> rpc.statd 1853 rpcuser 9u IPv4 3974 TCP *:34393 (LISTEN) >> sshd 2182 root 3u IPv4 4954 TCP *:22 (LISTEN) >> sshd 2182 root 4u IPv6 4956 TCP *:22 (LISTEN) >> ntpd 2190 ntp 16u IPv4 4988 UDP *:123 >> ntpd 2190 ntp 17u IPv6 4989 UDP *:123 >> ntpd 2190 ntp 18u IPv6 4993 UDP >> [fe80::218:f3ff:fef6:3378]:123 >> ntpd 2190 ntp 19u IPv6 4994 UDP [::1]:123 >> ntpd 2190 ntp 20u IPv6 4995 UDP >> [fe80::218:f3ff:fef6:340e]:123 >> ntpd 2190 ntp 21u IPv4 4996 UDP 127.0.0.1:123 >> ntpd 2190 ntp 22u IPv4 4997 UDP 128.32.10.135:123 >> ntpd 2190 ntp 23u IPv4 4998 UDP 192.168.1.2:123 >> avahi-dae 2243 avahi 14u IPv4 5213 UDP *:5353 >> avahi-dae 2243 avahi 15u IPv4 5214 UDP *:54663 >> cupsd 2252 root 4u IPv4 5251 TCP 127.0.0.1:631 >> (LISTEN) >> cupsd 2252 root 6u IPv4 5254 UDP *:631 >> master 2428 root 12u IPv4 5775 TCP *:25 (LISTEN) >> master 2428 root 13u IPv6 5777 TCP *:25 (LISTEN) >> .... >> smtpd 29092 postfix 6u IPv4 5775 TCP *:25 (LISTEN) >> smtpd 29092 postfix 7u IPv6 5777 TCP *:25 (LISTEN) >> smtp 29173 postfix 12u IPv4 473909 TCP >> xxx.xxx.10.135:36858->209.85.217.185:25 (ESTABLISHED) >> > > When that occurs, try "netstat -pn | grep :1000" and you should see > which program is doing it. According to /etc/services, port 1000 > is "cadlock2". Other sources say this may be caused by a trojan. > ---------------------------------------------------------------------- > - Rick Stevens, Systems Engineer ricks@xxxxxxxx - > - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - > - - > - We look for things. Things that make us go! - > ---------------------------------------------------------------------- > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > Hi Steve -- Ok, I figured it out. I did both a netstat -pnat and rpcinfo -p on both machines and the ports match to the nfs nlockmgr. (see below), thanks much for your help! -- Gary # netstat -pnat && /usr/sbin/rpcinfo -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1834/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2182/sshd tcp 0 0 0.0.0.0:46774 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2252/cupsd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2428/master tcp 0 0 0.0.0.0:34393 0.0.0.0:* LISTEN 1853/rpc.statd tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 27926/4 tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 28065/5 .... tcp 0 0 192.168.1.2:1000 192.168.1.1:59903 ESTABLISHED - tcp 0 0 192.168.1.2:33699 192.168.1.1:111 TIME_WAIT - tcp 0 0 192.168.1.2:991 192.168.1.1:2049 ESTABLISHED - tcp 0 0 :::22 :::* LISTEN 2182/sshd tcp 0 0 :::25 :::* LISTEN 2428/master tcp 0 0 ::1:6010 :::* LISTEN 27926/4 tcp 0 0 ::1:6011 :::* LISTEN 28065/5 program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100000 4 0 111 portmapper 100000 3 0 111 portmapper 100000 2 0 111 portmapper 100024 1 udp 40228 status 100024 1 tcp 34393 status 100021 1 tcp 46774 nlockmgr 100021 3 tcp 46774 nlockmgr 100021 4 tcp 46774 nlockmgr # netstat -pnat && /usr/sbin/rpcinfo -p Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2944/mysqld tcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN 2811/rpc.rquotad tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2457/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2787/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3074/cupsd tcp 0 0 0.0.0.0:45847 0.0.0.0:* LISTEN 2476/rpc.statd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2979/sendmail: acce tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 25476/3 tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 25724/4 tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN 26005/6 tcp 0 0 0.0.0.0:47967 0.0.0.0:* LISTEN 2858/rpc.mountd tcp 0 0 0.0.0.0:59903 0.0.0.0:* LISTEN - ... tcp 0 0 192.168.1.1:2049 192.168.1.2:991 ESTABLISHED - tcp 0 0 127.0.0.1:37844 127.0.0.1:139 ESTABLISHED 25476/3 tcp 0 0 192.168.1.1:59903 192.168.1.2:1000 ESTABLISHED - tcp 0 0 :::139 :::* LISTEN 3048/smbd tcp 0 0 :::80 :::* LISTEN 3010/httpd tcp 0 0 :::22 :::* LISTEN 2787/sshd tcp 0 0 ::1:6010 :::* LISTEN 25476/3 tcp 0 0 ::1:6011 :::* LISTEN 25724/4 tcp 0 0 :::443 :::* LISTEN 3010/httpd tcp 0 0 ::1:6012 :::* LISTEN 26005/6 tcp 0 0 :::4444 :::* LISTEN 3010/httpd tcp 0 0 :::445 :::* LISTEN 3048/smbd .... program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100000 4 0 111 portmapper 100000 3 0 111 portmapper 100000 2 0 111 portmapper 100024 1 udp 37582 status 100024 1 tcp 45847 status 100011 1 udp 875 rquotad 100011 2 udp 875 rquotad 100011 1 tcp 875 rquotad 100011 2 tcp 875 rquotad 100021 1 udp 57603 nlockmgr 100021 3 udp 57603 nlockmgr 100021 4 udp 57603 nlockmgr 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100021 1 tcp 59903 nlockmgr 100021 3 tcp 59903 nlockmgr 100021 4 tcp 59903 nlockmgr 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100005 1 udp 50476 mountd 100005 1 tcp 47967 mountd 100005 2 udp 50476 mountd 100005 2 tcp 47967 mountd 100005 3 udp 50476 mountd 100005 3 tcp 47967 mountd -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
