[CentOS] process identification

Fri Sep 19 15:07:07 UTC 2014
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Fri, September 19, 2014 9:59 am, Valeri Galtsev wrote:
>
> On Fri, September 19, 2014 9:14 am, kqt4at5v at gmail.com wrote:
>> On Fri, 19 Sep 2014, Reindl Harald wrote:
>>
>>>
>>> Am 19.09.2014 um 15:58 schrieb kqt4at5v at gmail.com:
>>>> On Fri, 19 Sep 2014, Reindl Harald wrote:
>>>>
>>>>> Am 19.09.2014 um 15:45 schrieb kqt4at5v at gmail.com:
>>>>>> I am running CentOS 6.5. I know this is not a CentOS specific
>>>>>> problem.
>>>>>> Netstat shows several open ports and no pid.
>>>>>>
>>>>>> tcp    0  0 *:48720                 *:*                 LISTEN
>>>>>> -
>>>>>> tcp    0  0 *:43422
>>>>>> *:*                 LISTEN      -
>>>>>> udp    0  0 *:50216                 *:*
>>>>>
>>>>> alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim
>>>>> --programs -u -t'
>>>>>        /bin/netstat
>>>>>
>>>>> [root at openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports
>>>>> --notrim --programs -u -t -l
>>>>> Aktive Internetverbindungen (Nur Server)
>>>>> Proto Recv-Q Send-Q Local Address               Foreign Address
>>>>>      State       PID/Program name
>>>>> tcp        0      0 127.0.0.1:9390              0.0.0.0:*
>>>>>      LISTEN      5454/openvasmd
>>>>> tcp        0      0 127.0.0.1:9391              0.0.0.0:*
>>>>>      LISTEN      5473/openvassd
>>>>> tcp        0      0 0.0.0.0:443                 0.0.0.0:*
>>>>>      LISTEN      5438/gsad
>>>>> tcp        0      0 0.0.0.0:10022               0.0.0.0:*
>>>>>      LISTEN      1177/sshd
>>>>
>>>> This netstat show exactly the same
>>>
>>> boah then call it as root, for a unprivileged user it shows only
>>> executeable and PID of own processes for good reasons
>>>
>>>> Lsof does not show these ports
>>>
>>> because you just have no permissions
>>>
>>>
>>
>> My bad I should have said. My original commands were
>> sudo netstat -tulpn | less
>> sudo lsof | less
>> I have several CentOS 6.5 machines and only one shows these odd ports.
>> I have also run chkrootkit and used clamscan to check filesystems.
>> It may be harmless but my curiosity is killing me.
>>
>
> Just a side note: on [suspected] compromised machine you can not trust any
> output of any commands. Say, I'd like to know which ports are open
> (listening to _external_ interfaces). I would scan that box from external
> machine: turn off firewall on the box in question, make sure firewall on
> the box you are scanning it from is not restricting outgoing traffic, then
> from external box scan the box in question (make sure network switches are
> not filtering anything), e.g.[as root; or add sudo in front of commands]:
>
> nmap -p 1- host.example.com
> nmap -p U:1- host.example.com
>
> then you can compare these with what internal commands (netstat, lsof)
> give you on suspect box and you will know if the box is hiding open ports
> from you (then it is solid suspect). There may be weird situation if you
> only use internal commands for comparison: the box showing less number of
> open ports (which you may consider clean reference box) is in fact
> compromised and is hiding information from you. Paranoia here is your
> friend.
>

One more side note: when checking open ports using internal commands make
sure to stop firewall (iptables).

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++