On Fri, September 19, 2014 9:59 am, Valeri Galtsev wrote: > > On Fri, September 19, 2014 9:14 am, kqt4at5v at gmail.com wrote: >> On Fri, 19 Sep 2014, Reindl Harald wrote: >> >>> >>> Am 19.09.2014 um 15:58 schrieb kqt4at5v at gmail.com: >>>> On Fri, 19 Sep 2014, Reindl Harald wrote: >>>> >>>>> Am 19.09.2014 um 15:45 schrieb kqt4at5v at gmail.com: >>>>>> I am running CentOS 6.5. I know this is not a CentOS specific >>>>>> problem. >>>>>> Netstat shows several open ports and no pid. >>>>>> >>>>>> tcp 0 0 *:48720 *:* LISTEN >>>>>> - >>>>>> tcp 0 0 *:43422 >>>>>> *:* LISTEN - >>>>>> udp 0 0 *:50216 *:* >>>>> >>>>> alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim >>>>> --programs -u -t' >>>>> /bin/netstat >>>>> >>>>> [root at openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports >>>>> --notrim --programs -u -t -l >>>>> Aktive Internetverbindungen (Nur Server) >>>>> Proto Recv-Q Send-Q Local Address Foreign Address >>>>> State PID/Program name >>>>> tcp 0 0 127.0.0.1:9390 0.0.0.0:* >>>>> LISTEN 5454/openvasmd >>>>> tcp 0 0 127.0.0.1:9391 0.0.0.0:* >>>>> LISTEN 5473/openvassd >>>>> tcp 0 0 0.0.0.0:443 0.0.0.0:* >>>>> LISTEN 5438/gsad >>>>> tcp 0 0 0.0.0.0:10022 0.0.0.0:* >>>>> LISTEN 1177/sshd >>>> >>>> This netstat show exactly the same >>> >>> boah then call it as root, for a unprivileged user it shows only >>> executeable and PID of own processes for good reasons >>> >>>> Lsof does not show these ports >>> >>> because you just have no permissions >>> >>> >> >> My bad I should have said. My original commands were >> sudo netstat -tulpn | less >> sudo lsof | less >> I have several CentOS 6.5 machines and only one shows these odd ports. >> I have also run chkrootkit and used clamscan to check filesystems. >> It may be harmless but my curiosity is killing me. >> > > Just a side note: on [suspected] compromised machine you can not trust any > output of any commands. Say, I'd like to know which ports are open > (listening to _external_ interfaces). I would scan that box from external > machine: turn off firewall on the box in question, make sure firewall on > the box you are scanning it from is not restricting outgoing traffic, then > from external box scan the box in question (make sure network switches are > not filtering anything), e.g.[as root; or add sudo in front of commands]: > > nmap -p 1- host.example.com > nmap -p U:1- host.example.com > > then you can compare these with what internal commands (netstat, lsof) > give you on suspect box and you will know if the box is hiding open ports > from you (then it is solid suspect). There may be weird situation if you > only use internal commands for comparison: the box showing less number of > open ports (which you may consider clean reference box) is in fact > compromised and is hiding information from you. Paranoia here is your > friend. > One more side note: when checking open ports using internal commands make sure to stop firewall (iptables). Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++