| View previous topic :: View next topic |
| Author |
Message |
_Max_
Apprentice
Joined: 03 Mar 2003
Posts: 264
Location: London, UK
|
 Posted: Sat Dec 27, 2003 1:45 pm Post subject: Something listening on port 1024? [SOLVED] |
 |
|
Hi,
I inherited this old Red Hat 6.2 (Zoot) box and am in half a mind to wipe it and put Gentoo on it, but that would be quite a lot of work. In any case, I decided to poke around a little bit, and it seems that there is some process listening on port 1024:
| Code: |
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:telnet *:* LISTEN 10959/inetd
tcp 0 0 *:ftp *:* LISTEN 10959/inetd
tcp 0 0 *:www *:* LISTEN 563/httpd
tcp 0 0 *:1024 *:* LISTEN - |
If I nmap the machine from outside, it identifies kdm with port 1024. That is quite weird, as I am sure that is not installed on the machine. How do I find out which process is using that port, and what it is?
_________________
Ceci n'est pas une sig.
Last edited by _Max_ on Fri Jan 02, 2004 5:53 pm; edited 1 time in total |
|
| Back to top |
|
 |
dabooty
Guru
Joined: 15 May 2003
Posts: 482
Location: Belgium
|
| Posted: Sat Dec 27, 2003 1:54 pm Post subject: |
|
|
use lsof to see what is opening the port.
see man lsof (if it's installed)
_________________
registered user #284425
get yourself counted
http://counter.li.org
------
#emerge -pv solves a lot of questions beforehand |
|
| Back to top |
|
|
astika
Tux's lil' helper
Joined: 31 Oct 2003
Posts: 131
Location: /usr/local/src
|
| Posted: Sat Dec 27, 2003 1:59 pm Post subject: |
|
|
| Code: | | # lsof -i | grep -i listen | grep 1024 |
most likely it is an rpc.statd process.
is nfslock running?
note:
lsof lists open files for running Unix processes, you can emerge it if you do
not have it.
_________________
even now in heaven, there were angels carrying savage weapons |
|
| Back to top |
|
|
dabooty
Guru
Joined: 15 May 2003
Posts: 482
Location: Belgium
|
| Posted: Sat Dec 27, 2003 2:05 pm Post subject: |
|
|
cannot emerge on an old redhat box 
_________________
registered user #284425
get yourself counted
http://counter.li.org
------
#emerge -pv solves a lot of questions beforehand |
|
| Back to top |
|
|
astika
Tux's lil' helper
Joined: 31 Oct 2003
Posts: 131
Location: /usr/local/src
|
| Posted: Sat Dec 27, 2003 4:28 pm Post subject: |
|
|
lmao, i had completely skipped over that.
but for people who do want it, and are on gentoo, you can emerge lsof 
_________________
even now in heaven, there were angels carrying savage weapons |
|
| Back to top |
|
|
Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
|
| Back to top |
|
|
_Max_
Apprentice
Joined: 03 Mar 2003
Posts: 264
Location: London, UK
|
| Posted: Sat Dec 27, 2003 10:00 pm Post subject: |
|
|
Well, I just installed lsof manually (from source tar.gz - I usually find that easier than rpms , and I get this:
lsof -i | grep -i listen
| Code: |
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
httpd 563 root 16u IPv4 518 TCP *:www (LISTEN)
httpd 9662 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9663 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9664 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9667 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9668 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9671 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9672 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 9673 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 10082 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 10083 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 10084 nobody 16u IPv4 518 TCP *:www (LISTEN)
httpd 10155 nobody 16u IPv4 518 TCP *:www (LISTEN)
inetd 10959 root 4u IPv4 471075 TCP *:ftp (LISTEN)
inetd 10959 root 5u IPv4 471076 TCP *:telnet (LISTEN)
|
Nothing about 1024?
again, netstat -tap (this was run about 1 second later) gives me
| Code: |
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:telnet *:* LISTEN 10959/inetd
tcp 0 0 *:ftp *:* LISTEN 10959/inetd
tcp 0 0 *:www *:* LISTEN 563/httpd
tcp 0 0 *:1024 *:* LISTEN -
|
Aha, so something does seem to be listening on 1024. Coming to think of it, I ran this as root, so why does it give me the message of not being root? "Non-owned process info will not be shown" - is the process not owned by anyone?
nmap (from another machine) gives me
| Code: |
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
1024/tcp open kdm
|
with some "filtered" ports which I didn't list here.
Hm... so I try telnetting to that port
| Code: |
[me@someothermachine somedir]$ telnet oldbox 1024
Trying <IP of oldbox>...
Connected to oldbox.
Escape character is '^]'.
Connection closed by foreign host.
|
???
_________________
Ceci n'est pas une sig. |
|
| Back to top |
|
|
_Max_
Apprentice
Joined: 03 Mar 2003
Posts: 264
Location: London, UK
|
| Posted: Fri Jan 02, 2004 5:42 pm Post subject: |
|
|
I also tried connecting to the machine using ssh:
| Quote: |
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 503 geteuid 0 anon 1
debug1: Connecting to somehost [some_ip] port 1024.
debug1: temporarily_use_uid: 503/503 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 503/503 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /home/me/.ssh/identity type -1
debug1: identity file /home/me/.ssh/id_rsa type -1
debug1: identity file /home/me/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x8063510(0x0)
|
Hm... so I check the logs to see whether there is a record of any failed connection attempts on somehost, and I get something like this
| Code: |
Jan 2 17:22:49 somehost kernel: lockd: connect from unprivileged port: <ip_of_other_machine>:4131<4>lockd: accept failed (err 11)!
Jan 2 17:22:49 somehost kernel: lockd: accept failed (err 11)!
|
I checked, lockd is something for locking files when the server crashes (part of rpc)?
_________________
Ceci n'est pas une sig. |
|
| Back to top |
|
|
_Max_
Apprentice
Joined: 03 Mar 2003
Posts: 264
Location: London, UK
|
| Posted: Fri Jan 02, 2004 5:57 pm Post subject: |
|
|
| mikeD wrote: |
most likely it is an rpc.statd process.
is nfslock running?
|
That was it. When I shut down rpc, it appears I didn't shut down everything cleanly. So there was a lockd and rpciod still running. They didn't come up under lsof, but I did eventually see them under ps. I wonder why netstat -tap didn't list the process... Go figure.
In any case, the port is shut! <removes tin-foil hat>
_________________
Ceci n'est pas une sig. |
|
| Back to top |
|
|
|
Networking & Security
