LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   cannot identify process associated with open port (https://www.linuxquestions.org/questions/linux-security-4/cannot-identify-process-associated-with-open-port-4175670308/)

vincix 02-26-2020 07:42 AM
cannot identify process associated with open port
 
Hi,

I'm trying to understand why a port is kept open on my linux server, but I cannot associate it with any process whatsoever, so I'm not really sure what is running there.
netstat -tulpn shows:
Code:
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name
tcp        0      0 0.0.0.0:1167            0.0.0.0:*              LISTEN      990/cdp
tcp        0      0 0.0.0.0:111            0.0.0.0:*              LISTEN      668/rpcbind
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      890/sshd
tcp        0      0 0.0.0.0:5432            0.0.0.0:*              LISTEN      11824/postgres
tcp        0      0 127.0.0.1:5433          0.0.0.0:*              LISTEN      11823/postgres
tcp        0      0 127.0.0.1:25            0.0.0.0:*              LISTEN      1182/master
tcp        0      0 0.0.0.0:33855          0.0.0.0:*              LISTEN      -
tcp        0      0 0.0.0.0:10050          0.0.0.0:*              LISTEN      9210/zabbix_agentd
tcp6      0      0 :::111                  :::*                    LISTEN      668/rpcbind
tcp6      0      0 :::5432                :::*                    LISTEN      11824/postgres
tcp6      0      0 :::33114                :::*                    LISTEN      -
tcp6      0      0 :::10050                :::*                    LISTEN      9210/zabbix_agentd
udp        0      0 0.0.0.0:111            0.0.0.0:*                          668/rpcbind
udp        0      0 0.0.0.0:844            0.0.0.0:*                          668/rpcbind
udp6      0      0 :::111                  :::*                                668/rpcbind
udp6      0      0 :::844                  :::*                                668/rpcbind
I'm referring to 33855 and 33114.
Neither lsof or ss showed my anything.
Any ideas how I can trace that back to a process?

Thanks.

Turbocapitalist 02-26-2020 08:06 AM
You'll need to run netstat as root to get the process information.

vincix 02-26-2020 08:12 AM
Hi,

That's not the issue. Everything is run as root. Otherwise I wouldn't have seen most (if any) of the processes that are already displayed by netstat.
Telnetting to 33855 does work, but I'm not sure what it expects.

Turbocapitalist 02-26-2020 08:27 AM
Does lsof show the PID of the process at least? Then you could try looking using ps

Code:
ps -p xxxxx -o pid,ppid,user,args

vincix 02-26-2020 08:32 AM
PID of the process would probably have been all I wanted, but lsof doesn't show anything at all related to these two ports. Only ss and netstat do.
I should also mention that this is also the behaviour of docker swarm when you initiate it. No related process is being shown, but I know the port pops up in netstat/ss. In that case, of course, it's easy to trace it back to swarm, because it's a known port.

teckk 02-26-2020 08:32 AM
How about:
Code:
ss -plten

sudo lsof -ni :33855

sudo ss -tanp

sudo netstat -nlp | grep 33855

sudo fuser -vn tcp 33855

vincix 02-26-2020 08:55 AM
Code:
ss -plten | grep 33855
LISTEN    0      64          *:33855                    *:*                  ino:14772 sk:73 <->

lsof -ni :33855 * lists nothing.
Code:
ss -tanp | grep 3385
LISTEN    0      64          *:33855                    *:*
Code:
netstat -nlp | grep 33855
tcp        0      0 0.0.0.0:33855          0.0.0.0:*              LISTEN      -
fuser -vn tcp 33855 * this also shows nothin.

teckk 02-26-2020 09:06 AM
https://unix.stackexchange.com/quest...ich-has-no-pid

vincix 02-26-2020 09:27 AM
This is what I've got based on the link you've shared.
find -inum 14772

Quote:
ls -li /usr/share/man/man2/ustat.2.gz
14772 -rw-r--r-- 1 root root 1800 Feb 15 2016 /usr/share/man/man2/ustat.2.gz
Quote:
root@prod-postgresql:~# ls -li /sys/devices/virtual/tty/tty58/dev
14772 -r--r--r-- 1 root root 4096 Feb 26 16:10 /sys/devices/virtual/tty/tty58/dev
I'm also a little bit suspscious of the fact that something has opened a sort of running service there and it's listening to. Now I'm thinking of some kind of malware, I'm not sure.

vincix 02-26-2020 10:28 AM
If I connect through telnet to the port, I get this:
Code:
Feb 26 16:39:01 vm1010798 kernel: [8494225.482696] RPC: fragment too large: 218762506
Feb 26 16:39:05 vm1010798 kernel: [8494229.126107] RPC: fragment too large: 218762506
Feb 26 16:39:10 vm1010798 kernel: [8494234.076411] RPC: fragment too large: 218762506
Feb 26 16:39:16 vm1010798 kernel: [8494240.059684] RPC: fragment too large: 1634929930
So it's seems to be related to the NFS client installed on the server. I'm not sure why it's listening on that port, but never mind. It's quite clear, I guess.

rnturn 02-26-2020 01:37 PM
Quote:
Originally Posted by teckk (Post 6094455)
Yes. I get one of these records from "netstat -anp" and it's related to running the nfs-server service. "nmap" sees it and stopping the service makes the port use go away. Not sure about the other one I'm seeing but nmap's not seeing. I'm assuming it's something similar at play so my hair's not on fire.

This is the sort of thing that would have driven the security compliance team I worked with some years ago right up the wall. (The electrical power generation industry gets a little testy about port use they cannot attribute to software that should be running on systems.)


All times are GMT -5. The time now is 04:17 PM.