Friday, January 14, 2011

How to tell what process has a specific port open on Linux?

I ran nmap on my server and found a strange port open. I'm trying to figure out if there is a way to map that port to a specific process but have no idea if there is such a tool.

Any suggestions?

From serverfault jnman

  • sudo netstat -lnp will list the ports that are listening for incoming connections and the associated process that has the port open.

    From Joe

  • netstat -anp

    The "-p" tells it to list the process-ID that has the port open. The -an tells it to list listening ports and don't resolve names. On busy systems that can greatly speed up how fast it returns.

    netstat -anp | grep "LIST"

    That'll just give you the open ports.

    From sysadmin1138

  • As well as Netstat, mentioned in other posts, the lsof command should be able to do this just fine. Just use this:

    lsof -i :<port number>

    and all of the processes should come up. I use it on OS X quite frequently.

    Debian Administration article for lsof

    jnman : interesting. I did not know about this. however, I am looking into this as the result of a hack attempt. machine is a friend's. you can telnet to the offending port BUT lsof AND netstat both do not reveal the port as being open.
    jnman : the port is 5631 which according to /etc/services is pcanywheredata so very suspicious.
    buster : Now, that's nice, i didn't know that! Always used netstat. Thanks
    Kamil Kisiel : If neither netstat nor lsof show the port as being used, but the machine is responding to it, chances are there's been a root kit installed. I recommend moving any data off the machine somewhere else and then nuking it.
    Avery Payne : This is indeed a rootkit. I have seen this behavior before, and it is *always* a rootkit. Your system is compromised, and any tools you are using cannot be trusted. Boot into a Live CD (which has read-only trusted binaries) and use that to extract your data, settings, etc. Any programs you had, any scripts you had, abandon them. Do not bring them. Treat the system as if it has leprosy, because it /does/. Once you're done, nuke it from orbit. Do this as soon as possible. Oh, and unplug your network connection - deny your attacker access.
    From bjtitus

  • If you can't see the port open with operating system tools and you suspect an intrussion it could be that a rootkit has been installed.

    The rootkit could have changed systems tools to avoid certain processes and ports or changed kernel modules.

    You can check for rootkit with several automated tools. 'apt-cache search rootkit' shows the following in Ubuntu:

    chkrootkit - rootkit detector
rkhunter - rootkit, backdoor, sniffer and exploit scanner
unhide - Forensic tool to find hidden processes and ports

    If you happen to have a rootkit you can revert the 'changed' to your system but I recommend that you find out how the intrussion was made and harden the system for it not to repeat.

    They are not exclusive to Ubuntu, you can use them in CentOS too. Just look for the package or download it from their page.

    By the output from that port it seems you're running pcanywhere indeed: "�Ы� <Enter>" is very similar to "Please press <Enter>" which is pcanywhere welcome message. I don't know why the process doesn't show up in the process list. Are you root?

    You can try rebooting to see if it's a one time process running, as well.

    jnman : any suggestions for centos?
    jnman : strangely, unhide-tcp does not show any suspicious ports. chkrootkit/rkhunter reported all clear (but mostly because i deleted the suspicious dirs prior to asking this question)
    jnman : FWIW, the rootkit had installed itself as apache in /var/tmp/... and /var/tmp/.ICE-Unix/* The second one was sneaky since I did not notice it the first time around and I was wondering how the heck a bash process kept spawning itself after being killed.
    jnman : Turns out the cracker installed a cron job.
    From chmeee

  • Warning: Your system is compromised.

    The tool you need is lsof, which will list files (and sockets and ports). It is most likely installed, and it is most likely the attacker's version, which means it will lie to you.

    This is indeed a rootkit. I have seen this behavior before, and it is always a rootkit. Your system is compromised, and any tools you are using that originate from the same machine cannot be trusted. Boot into a Live CD (which has read-only trusted binaries) and use that to extract your data, settings, etc. Any programs you had, any scripts you had, abandon them. Do not bring them. Treat them, and the system, as if they have leprosy, because they do.

    Once you're done, nuke it from orbit.

    Game over man, game over.

    Do this as soon as possible. Oh, and unplug your network connection - deny your attacker access.

    Robert Moir : This says it all really. Figure out what went wrong, flatten the server, restore from last known good backup. Life's too short to play games.
    Avery Payne : Just adding: be sure you know of the date of the break-in, as you may be restoring the same rootkit that you just removed. Otherwise, yeah, restore from /before/ that date.
    jnman : That's a funny graphic. I know the system is compromised (thankfully it's not mine). The question I was more curious about was tracking down how he got in in the first place. I suspect via php/joomla but wanted to understand how/why this port was staying open when none of the root kit detection tools were showing that port.
    theman_on_osx : lol @ "Oh, and unplug your network connection"
    From Avery Payne
Posted by Ku XI at 11:58 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)