On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN - tcp 0 0 *:43422 *:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t' /bin/netstat
[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 5454/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 5473/openvassd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5438/gsad tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
lsof -i -P | grep LISTEN
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of kqt4at5v@gmail.com Sent: viernes, 19 de septiembre de 2014 11:15 To: CentOS mailing list Subject: Re: [CentOS] process identification
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN - tcp 0 0
*:43422
*:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -
t'
/bin/netstat[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -
u -t -l
Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN
5454/openvasmd
tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN
5473/openvassd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
5438/gsad
tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN
1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of kqt4at5v@gmail.com Sent: viernes, 19 de septiembre de 2014 11:15 To: CentOS mailing list Subject: Re: [CentOS] process identification
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN - tcp 0 0
*:43422
*:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -
t'
/bin/netstat[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -
u -t -l
Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN
5454/openvasmd
tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN
5473/openvassd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
5438/gsad
tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN
1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
On Fri, 19 Sep 2014, Francisco Puente wrote:
lsof -i -P | grep LISTEN
Returns none of the questionable ports
On Fri, September 19, 2014 9:14 am, kqt4at5v@gmail.com wrote:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN - tcp 0 0 *:43422 *:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t' /bin/netstat
[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 5454/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 5473/openvassd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5438/gsad tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I'd like to know which ports are open (listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]:
nmap -p 1- host.example.com nmap -p U:1- host.example.com
then you can compare these with what internal commands (netstat, lsof) give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend.
Good luck!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:
On Fri, September 19, 2014 9:14 am, kqt4at5v@gmail.com wrote:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN
tcp 0 0 *:43422 *:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t' /bin/netstat
[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 5454/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 5473/openvassd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5438/gsad tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 1177/sshd
This netstat show exactly the same
<snip>
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
<snip> Here's a suggestion: look at /etc/sysconfig/iptables. Make sure that it looks the way it's supposed to. Then you could put in a rule to kill one or more of those questionable ports, and service iptables restart, and see what happens.
mark
On Fri, September 19, 2014 9:59 am, Valeri Galtsev wrote:
On Fri, September 19, 2014 9:14 am, kqt4at5v@gmail.com wrote:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:58 schrieb kqt4at5v@gmail.com:
On Fri, 19 Sep 2014, Reindl Harald wrote:
Am 19.09.2014 um 15:45 schrieb kqt4at5v@gmail.com:
I am running CentOS 6.5. I know this is not a CentOS specific problem. Netstat shows several open ports and no pid.
tcp 0 0 *:48720 *:* LISTEN
tcp 0 0 *:43422 *:* LISTEN - udp 0 0 *:50216 *:*
alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t' /bin/netstat
[root@openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports --notrim --programs -u -t -l Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:9390 0.0.0.0:* LISTEN 5454/openvasmd tcp 0 0 127.0.0.1:9391 0.0.0.0:* LISTEN 5473/openvassd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5438/gsad tcp 0 0 0.0.0.0:10022 0.0.0.0:* LISTEN 1177/sshd
This netstat show exactly the same
boah then call it as root, for a unprivileged user it shows only executeable and PID of own processes for good reasons
Lsof does not show these ports
because you just have no permissions
My bad I should have said. My original commands were sudo netstat -tulpn | less sudo lsof | less I have several CentOS 6.5 machines and only one shows these odd ports. I have also run chkrootkit and used clamscan to check filesystems. It may be harmless but my curiosity is killing me.
Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I'd like to know which ports are open (listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]:
nmap -p 1- host.example.com nmap -p U:1- host.example.com
then you can compare these with what internal commands (netstat, lsof) give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend.
One more side note: when checking open ports using internal commands make sure to stop firewall (iptables).
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
-
Francisco Puente -
kqt4at5v@gmail.com -
m.roth@5-cent.us -
Richard Ray
-
Valeri Galtsev