| View previous topic :: View next topic |
| Author |
Message |
md5xxx1
n00b
Joined: 20 Feb 2009
Posts: 3
|
 Posted: Fri Feb 20, 2009 7:49 pm Post subject: Something listens on port 52000 |
 |
|
| I discovered that something listens on port 52000 and receives a lot of TCP packets from different IP addresses. It replies to these packets with short TCP packets. `netstat -p -a` doesn't display any process on this port. This process starts immediately after computer reboot. What is this? Is this trojan or something like that? What can I do with it? |
|
| Back to top |
|
 |
gentoo_ram
Guru
Joined: 25 Oct 2007
Posts: 514
Location: San Diego, California USA
|
| Posted: Fri Feb 20, 2009 9:35 pm Post subject: |
|
|
| Did you do the netstat command as root? That makes a difference when using the '-p' flag. Also, you could try 'lsof'. That will show network sockets as well. Again, you need to be root to run this command effectively. |
|
| Back to top |
|
|
poly_poly-man
Advocate
Joined: 06 Dec 2006
Posts: 2477
Location: RIT, NY, US
|
| Posted: Fri Feb 20, 2009 9:50 pm Post subject: Re: Something listens on port 52000 |
|
|
| md5xxx1 wrote: | | I discovered that something listens on port 52000 and receives a lot of TCP packets from different IP addresses. It replies to these packets with short TCP packets. `netstat -p -a` doesn't display any process on this port. This process starts immediately after computer reboot. What is this? Is this trojan or something like that? What can I do with it? |
bittorrent? any servers?
give an rc-update, and give up the output.
_________________
iVBORw0KGgoAAAANSUhEUgAAA
avatar: new version of logo - see topic 838248. Potentially still a WiP. |
|
| Back to top |
|
|
md5xxx1
n00b
Joined: 20 Feb 2009
Posts: 3
|
| Posted: Sat Feb 21, 2009 2:44 am Post subject: |
|
|
| Quote: | | Did you do the netstat command as root? |
yes
| Quote: | | bittorrent? any servers? |
apache, mysql (listens only on localhost), named
Also, I tried to run `telnet localhost 52000`. This outputs `Connection refused` however in the tcpdump -ilo I see that TCP packet was sent in response to request. Is this normal? I thought that in this case only ICMP packet should be sent in response.
Also, I have strange apache2 logs:
82.79.76.20 - - [18/Feb/2009:19:06:36 +0300] "GET http://www.yahoo.com/ HTTP/1.1" 200 44
Why is the HTTP status 200? This should be 404. I tried to enter http://address/http://www.yahoo.com/ in the web browser but this prints 404 for me but not for remote host displayed in the log. |
|
| Back to top |
|
|
poly_poly-man
Advocate
Joined: 06 Dec 2006
Posts: 2477
Location: RIT, NY, US
|
| Posted: Sat Feb 21, 2009 3:11 am Post subject: |
|
|
telnet yourhost 80
GET http://www.yahoo.com/ HTTP/1.1
(hit enter twice after that command)
_________________
iVBORw0KGgoAAAANSUhEUgAAA
avatar: new version of logo - see topic 838248. Potentially still a WiP. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sat Feb 21, 2009 9:24 am Post subject: |
|
|
and netstat -lep still don't see it ?
avahi, nfs per example are common programs you may forget. (rpcinfo -p localhost) |
|
| Back to top |
|
|
Malvineous
Apprentice
Joined: 20 Oct 2006
Posts: 281
Location: Brisbane, Australia
|
| Posted: Sat Feb 21, 2009 11:54 am Post subject: |
|
|
Try "telnet <yourip> 52000" as well - when you use "localhost" it goes through the "lo" network interface (which could have the port blocked by iptables) but when you telnet to your network card's IP then the connection comes in on that interface instead (e.g. for me 192.168.0.1 connects through eth0.) It's possible to block a port on one interface but not another.
As to the HTTP200 in your logs, you probably have your webserver configured with a default virtual host, so that any requests coming in for unknown hosts will see the 'default' page. To test this, you can add an entry for www.yahoo.com into /etc/hosts with 127.0.0.1, then visit the web address in your browser. This will send a request for Yahoo to your local PC, and you can see in your browser what the HTTP200 response actually contains.
I think a 'connection refused' returns a TCP RST packet, so seeing a TCP response to that is fine.
If no programs are showing up as listening on port 52000, how do you know there is something listening on that port??? When you say your PC replies with "short TCP packets", are these the same RST packets you get when you telnet and get "Connection refused"? If so, all it means is there is nothing listening on that port, and your PC keeps sending 'connection refused' messages to anyone who tries to connect. If you're really worried about it, set up your firewall as per the recommended method so it drops all packets for closed ports (instead of replying with 'connection refused'.) |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23097
|
| Posted: Sat Feb 21, 2009 5:07 pm Post subject: |
|
|
| Malvineous wrote: | | Try "telnet <yourip> 52000" as well - when you use "localhost" it goes through the "lo" network interface (which could have the port blocked by iptables) but when you telnet to your network card's IP then the connection comes in on that interface instead (e.g. for me 192.168.0.1 connects through eth0.) |
Not quite. Connections to the local machine always have an interface of lo, even when you use one of the real IP addresses. To test this, tcpdump -i lo -n tcp port 52000 and then use socat to connect to 52000 on any of your machine's IP addresses. Repeat with tcpdump monitoring eth0 and connect to your eth0 IP address. You should always see the connection in the first case and never in the second case.
You are correct that entering localhost will typically resolve to 127.0.0.1, and that could make a difference in the results observed. |
|
| Back to top |
|
|
Malvineous
Apprentice
Joined: 20 Oct 2006
Posts: 281
Location: Brisbane, Australia
|
| Posted: Sun Feb 22, 2009 4:46 am Post subject: |
|
|
| Oh you're right, it still goes through localhost, I wonder how I reached that conclusion...? Maybe I was using iptables with destination addresses instead of interfaces... |
|
| Back to top |
|
|
md5xxx1
n00b
Joined: 20 Feb 2009
Posts: 3
|
| Posted: Sun Feb 22, 2009 10:09 am Post subject: |
|
|
| Regarding apache logs, when I run telnet localhost 80, GET http://yahoo.com/ HTTP/1.1 it displays status 400 Bad Request. But the status was 200 for remote host as displayed in the log. Why? |
|
| Back to top |
|
|
Tekeli Li
Tux's lil' helper
Joined: 03 Jan 2009
Posts: 95
|
| Posted: Sun Feb 22, 2009 10:24 am Post subject: |
|
|
| Sounds to me you have an open proxy there. Also, as Malvineous already asked, how did you discover port 52000 open? |
|
| Back to top |
|
|
Malvineous
Apprentice
Joined: 20 Oct 2006
Posts: 281
Location: Brisbane, Australia
|
| Posted: Sun Feb 22, 2009 11:24 am Post subject: |
|
|
| md5xxx1 wrote: | | when I run telnet localhost 80, GET http://yahoo.com/ HTTP/1.1 it displays status 400 Bad Request. But the status was 200 for remote host as displayed in the log. Why? |
Because you're sending an invalid request. HTTP 1.1 requires a Host header. You'll have to try one of these instead:
or
| Code: | | GET http://www.yahoo.com HTTP/1.0 |
HTTP 1.0 doesn't support virtual hosts, so you don't need the Host header. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23097
|
| Posted: Sun Feb 22, 2009 4:47 pm Post subject: |
|
|
| Although telnet is fine in this case, if you are going to keep running this, you may find it more convenient to have a stored command like echo -e 'GET / HTTP/1.0\nHost: foo\n' | socat - tcp4:IP:port. Then, you can recall the command, making minor adjustments as needed, each time, instead of needing to repeatedly retype the request. Vary the text within the echo to suit your needs. Remove the pipe to socat if you want to print it to your terminal for comparison with other commands suggested here. |
|
| Back to top |
|
|
|
Networking & Security
