Zombie port?
Hi, folks;
I'm managing a large scale of linux majored network.I found some thing strange these months. On some linux server(kernel-2.4), there are zombie port that has no relation with any process, when using `lsof -i:P_O_R_T', no process listed; but if you are tying `netstat -lnp' as root, you can see the exactly opened port like this Code:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 1, how to detect which process generated this port? 2, how to shutdown this opened port? thanks for any claw, |
Well, if there is no running application claiming it, my first suggestion would be to run something like chkrootkit and make sure there isn't a rootkit installed.
Have you tried connecting to it with telnet or something similar to see if it announces itself? You could also try runing tcpdump on it to see if its passing any traffic. You could add an IPtables ruleset to block both outgoing and incoming connections on that port as well in the meantime, see what breaks when you do it :) Normally, I think that anything that doesn't have a appliciation claiming it, its up to some nafarious purpose tho. |
Is this an entry in services?
If you are not sure use iptables to block that port. You can also install portsentry or tripwire. Tameika |
All times are GMT -5. The time now is 05:13 AM. |