LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-28-2005, 03:05 PM   #1
SpacedCowboy
LQ Newbie
 
Registered: Oct 2005
Posts: 2

Rep: Reputation: 0
Question What to do when lsof fails....


So, we had a penetration test done recently, and the server was found
to be ... lacking. It's been tightened up and will soon have another
test done on it, but in the meantime I've got a suspect service running
on the machine - and I can't find out what's providing the service...

If I do:
netstat -tunap | grep LISTEN

I get two services with no pid/program:

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:26959 0.0.0.0:* LISTEN -

Now, 2049 is the NFS daemon's port, so I'm assuming the reason there's
nothing reporting for that is that it's the kernel nfsd. The one that
has me concerned is the 26959 one...

Doing lsof on it (using a binary from another machine) returns me
nothing either
# ./lsof -i TCP:26959
#

For the time-being I've firewalled the port (INPUT/OUTPUT/FORWARD) but
was wondering if there was any other way to determine which process has
the socket open.

Any thoughts ? (Apart from 'reinstall the system' - that's going to
happen soon anyway)

Cheers,
Simon.

[added in case it helps anyone else]

So, it turns out to be benign - it was a sun-rpc service running on the port, and once I'd done an 'rpcinfo -p', I could see that a standard service (locking) was running on that port. RPC ports are arbitrary (hence the portmapper process) so the odd port number is reasonable...

Simon

Last edited by SpacedCowboy; 10-29-2005 at 02:53 AM.
 
Old 10-29-2005, 10:32 AM   #2
imitheos
Member
 
Registered: May 2005
Location: Greece
Posts: 374

Rep: Reputation: 55
Re: What to do when lsof fails....

Quote:
Originally posted by SpacedCowboy
So, we had a penetration test done recently, and the server was found
to be ... lacking. It's been tightened up and will soon have another
test done on it, but in the meantime I've got a suspect service running
on the machine - and I can't find out what's providing the service...

If I do:
netstat -tunap | grep LISTEN

I get two services with no pid/program:

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -

tcp 0 0 0.0.0.0:26959 0.0.0.0:* LISTEN -

Now, 2049 is the NFS daemon's port, so I'm assuming the reason there's
nothing reporting for that is that it's the kernel nfsd. The one that
has me concerned is the 26959 one...

Doing lsof on it (using a binary from another machine) returns me
nothing either
# ./lsof -i TCP:26959
#

For the time-being I've firewalled the port (INPUT/OUTPUT/FORWARD) but
was wondering if there was any other way to determine which process has
the socket open.

Any thoughts ? (Apart from 'reinstall the system' - that's going to
happen soon anyway)

Cheers,
Simon.

[added in case it helps anyone else]

So, it turns out to be benign - it was a sun-rpc service running on the port, and once I'd done an 'rpcinfo -p', I could see that a standard service (locking) was running on that port. RPC ports are arbitrary (hence the portmapper process) so the odd port number is reasonable...

Simon
Did you run netstat and lsof as user or as root ?
If you run them as user then you can't get the pids

Run them as root and they should work.
Also you can also run "fuser 26959/tcp"
 
Old 10-29-2005, 03:39 PM   #3
SpacedCowboy
LQ Newbie
 
Registered: Oct 2005
Posts: 2

Original Poster
Rep: Reputation: 0
Re: Re: What to do when lsof fails....

Quote:
Originally posted by imitheos
Did you run netstat and lsof as user or as root ?
If you run them as user then you can't get the pids

Run them as root and they should work.
Also you can also run "fuser 26959/tcp"
Well, I get the same response back with fuser (that is to say, not very much :-) and I am running as root. I guess it's just that they're being looked after by the kernel...

# fuser ssh/tcp
here: ssh
ssh/tcp: 6633

# fuser 26959/tcp
here: 26959


Cheers,
Simon.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Lsof Is Useless?? Philip_38 Linux - Software 3 01-30-2005 10:24 AM
lsof and fuser do not work with /dev/dsp alexrait1 Slackware 4 10-09-2004 05:07 PM
lsof can't identify protocol sock rozeboom Linux - Networking 4 05-21-2004 01:34 PM
C Library for lsof loki.guz_BR Linux - Security 1 05-19-2004 03:19 PM
lsof: command not found ionian2k Linux - Newbie 1 12-26-2002 09:59 PM


All times are GMT -5. The time now is 03:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration