On Fri, September 19, 2014 9:14 am, kqt4at5v@gmail.com wrote:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN - tcp 0 0 *:43422 *:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t' /bin/netstat
[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 5454/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 5473/openvassd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5438/gsad tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I'd like to know which ports are open (listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]:
nmap -p 1- host.example.com nmap -p U:1- host.example.com
then you can compare these with what internal commands (netstat, lsof) give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++