Hello,
i was informed from rootkit hunter (rkhunter) that port 47108 is opened by php-cgi.
After investigating I found out, that this was a false positive. The system seems *not* to be infected.
"netstat -anp|grep php-cgi"
shows
Quote:
tcp 0 0 127.0.0.1:44279 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:59826 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:49386 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:44277 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:49388 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:59825 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:49385 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:44276 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:59822 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:34342 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
tcp 0 0 127.0.0.1:59820 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:59819 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:59821 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:34345 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
tcp 0 0 127.0.0.1:34343 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
|
and "netstat -anp|grep mysql" shows
Quote:
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44277 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34343 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59819 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34342 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44276 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59825 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59820 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59821 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49385 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59826 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49388 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59822 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34345 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49386 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44279 ESTABLISHED 29247/mysqld
|
I am using apache with fcgi and php. It seems that every connection/fcgi process opens an internal port to handle the request and parse the result to apache.
As far as I can see this should be a normal procedure? But can anyone tell me how I can define the dynamic port range to exclude certain ports?
Kind Regards
Flowsen