On Fri, September 19, 2014 9:14 am, kqt4at5v at gmail.com wrote: > On Fri, 19 Sep 2014, Reindl Harald wrote: > >> >> Am 19.09.2014 um 15:58 schrieb kqt4at5v at gmail.com: >>> On Fri, 19 Sep 2014, Reindl Harald wrote: >>> >>>> Am 19.09.2014 um 15:45 schrieb kqt4at5v at gmail.com: >>>>> I am running CentOS 6.5. I know this is not a CentOS specific >>>>> problem. >>>>> Netstat shows several open ports and no pid. >>>>> >>>>> tcp 0 0 *:48720 *:* LISTEN - >>>>> tcp 0 0 *:43422 >>>>> *:* LISTEN - >>>>> udp 0 0 *:50216 *:* >>>> >>>> alias netstat='/bin/netstat --numeric-hosts --numeric-ports --notrim >>>> --programs -u -t' >>>> /bin/netstat >>>> >>>> [root at openvas:~]$ /bin/netstat --numeric-hosts --numeric-ports >>>> --notrim --programs -u -t -l >>>> Aktive Internetverbindungen (Nur Server) >>>> Proto Recv-Q Send-Q Local Address Foreign Address >>>> State PID/Program name >>>> tcp 0 0 127.0.0.1:9390 0.0.0.0:* >>>> LISTEN 5454/openvasmd >>>> tcp 0 0 127.0.0.1:9391 0.0.0.0:* >>>> LISTEN 5473/openvassd >>>> tcp 0 0 0.0.0.0:443 0.0.0.0:* >>>> LISTEN 5438/gsad >>>> tcp 0 0 0.0.0.0:10022 0.0.0.0:* >>>> LISTEN 1177/sshd >>> >>> This netstat show exactly the same >> >> boah then call it as root, for a unprivileged user it shows only >> executeable and PID of own processes for good reasons >> >>> Lsof does not show these ports >> >> because you just have no permissions >> >> > > My bad I should have said. My original commands were > sudo netstat -tulpn | less > sudo lsof | less > I have several CentOS 6.5 machines and only one shows these odd ports. > I have also run chkrootkit and used clamscan to check filesystems. > It may be harmless but my curiosity is killing me. > Just a side note: on [suspected] compromised machine you can not trust any output of any commands. Say, I'd like to know which ports are open (listening to _external_ interfaces). I would scan that box from external machine: turn off firewall on the box in question, make sure firewall on the box you are scanning it from is not restricting outgoing traffic, then from external box scan the box in question (make sure network switches are not filtering anything), e.g.[as root; or add sudo in front of commands]: nmap -p 1- host.example.com nmap -p U:1- host.example.com then you can compare these with what internal commands (netstat, lsof) give you on suspect box and you will know if the box is hiding open ports from you (then it is solid suspect). There may be weird situation if you only use internal commands for comparison: the box showing less number of open ports (which you may consider clean reference box) is in fact compromised and is hiding information from you. Paranoia here is your friend. Good luck! Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++