how do I know whose ports are they belong to?
 

Hello All,

when running nmap localhost (see below) .. I got unknown ports .. how do I know whose ports are they belong to? and how to close them?

please advise

thanks & regards
Winanjaya



[root@smartgateway ~]# nmap localhost

Starting Nmap 4.68 ( http://nmap.org ) at 2010-02-10 13:50 WIT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1705 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
904/tcp open unknown
905/tcp open unknown
906/tcp open unknown
907/tcp open unknown
908/tcp open unknown
909/tcp open unknown
10000/tcp open snet-sensor-mgmt

Hi, there is a text file /etc/services

that shows the usual/default port numbers and what they're used for.

open it in an editor, or use cat from a shell.

cat /etc/services

cheers, Glenn

I checked on /etc/services .. and I didnot find them(904 to 909)

please help

thanks & regards

Doing a simple netstat will show you which processes are listening on those ports:It'll also give you the owner's UID for each one.

The easiest way to close the ports would be to stop the relevant services.

I ran it .. how to remove it? ..I don't know python? ..strange?

[root@smartgateway ~]# netstat -pante | grep LISTEN
tcp 0 0 0.0.0.0:59239 0.0.0.0:* LISTEN 0 3722 1768/rpc.statd
tcp 0 0 127.0.0.1:904 0.0.0.0:* LISTEN 0 5681 2190/python
tcp 0 0 127.0.0.1:905 0.0.0.0:* LISTEN 0 5682 2190/python
tcp 0 0 127.0.0.1:906 0.0.0.0:* LISTEN 0 5683 2190/python
tcp 0 0 127.0.0.1:907 0.0.0.0:* LISTEN 0 5684 2190/python
tcp 0 0 127.0.0.1:908 0.0.0.0:* LISTEN 0 5685 2190/python
tcp 0 0 127.0.0.1:909 0.0.0.0:* LISTEN 0 5686 2190/python
tcp 0 0 172.16.1.31:4430 0.0.0.0:* LISTEN 0 5834 2296/openvpn
tcp 0 0 172.16.1.31:943 0.0.0.0:* LISTEN 0 5679 2190/python
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 3566 1750/rpcbind
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 0 5461 2191/perl
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 4673 2090/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 5336 2167/cupsd
tcp 0 0 :::111 :::* LISTEN 0 3571 1750/rpcbind
tcp 0 0 :::22 :::* LISTEN 0 4675 2090/sshd

Hi, they are not in numerical order, as such.

But, you're right, they are not listed.

I'm very interested to see this, so I have done a quick search and found only some info.

ref. http://en.wikipedia.org/wiki/List_of...P_port_numbers
ref. http://www.forums.speedguide.net/port.php?port=904
If you do not use vmware, you should probably close the ports with your firewall manager.

You could check the pids to see what 'user' is using them...
Incidentally, they're all on the loopback interface
;)

You could use "pstree -p" to see which command you might be running that spawned other python processes.
The output will look like this:
Since the process names are simply python, they are probably scripts that are started like "pythonl name" instead of running the scripts directly. So you can learn more by printing the command lines.
Here is an example looking at the command line that called PID 11435 above:
The tr command replaces NULLS separating arguments to spaces.

Hi I got below, and there is nothing shown 904-909 ??

login as: root
root@172.16.1.31's password:
Last login: Thu Feb 11 14:11:59 2010 from 172.16.1.77
[root@smartgateway ~]# pstree -p
init(1)ââ¬âacpid(1874)
ââatd(2148)
ââauditd(1706)ââ¬âaudispd(1708)âââ{audispd}(1709)
â ââ{auditd}(1707)
ââavahi-daemon(2157)âââavahi-daemon(2158)
ââbluetoothd(2024)
ââclamd(10235)âââ{clamd}(10236)
ââconsole-kit-dae(1885)ââ¬â{console-kit-dae}(1886)
â ââ{console-kit-dae}(1888)
â ââ{console-kit-dae}(1889)
â ââ{console-kit-dae}(1890)
â ââ{console-kit-dae}(1891)
â ââ{console-kit-dae}(1893)
â ââ{console-kit-dae}(1894)
â ââ{console-kit-dae}(1895)
â ââ{console-kit-dae}(1896)
â ââ{console-kit-dae}(1897)
â ââ{console-kit-dae}(1898)
â ââ{console-kit-dae}(1899)
â ââ{console-kit-dae}(1900)
â ââ{console-kit-dae}(1901)
â ââ{console-kit-dae}(1902)
â ââ{console-kit-dae}(1903)
â ââ{console-kit-dae}(1904)
â ââ{console-kit-dae}(1905)
â ââ{console-kit-dae}(1906)
â ââ{console-kit-dae}(1907)
â ââ{console-kit-dae}(1908)
â ââ{console-kit-dae}(1909)
â ââ{console-kit-dae}(1910)
â ââ{console-kit-dae}(1911)
â ââ{console-kit-dae}(1912)
â ââ{console-kit-dae}(1913)
â ââ{console-kit-dae}(1914)
â ââ{console-kit-dae}(1915)
â ââ{console-kit-dae}(1916)
â ââ{console-kit-dae}(1917)
â ââ{console-kit-dae}(1918)
â ââ{console-kit-dae}(1919)
â ââ{console-kit-dae}(1920)
â ââ{console-kit-dae}(1921)
â ââ{console-kit-dae}(1922)
â ââ{console-kit-dae}(1923)
â ââ{console-kit-dae}(1924)
â ââ{console-kit-dae}(1925)
â ââ{console-kit-dae}(1926)
â ââ{console-kit-dae}(1927)
â ââ{console-kit-dae}(1928)
â ââ{console-kit-dae}(1929)
â ââ{console-kit-dae}(1930)
â ââ{console-kit-dae}(1931)
â ââ{console-kit-dae}(1932)
â ââ{console-kit-dae}(1933)
â ââ{console-kit-dae}(1934)
â ââ{console-kit-dae}(1935)
â ââ{console-kit-dae}(1936)
â ââ{console-kit-dae}(1937)
â ââ{console-kit-dae}(1938)
â ââ{console-kit-dae}(1939)
â ââ{console-kit-dae}(1940)
â ââ{console-kit-dae}(1941)
â ââ{console-kit-dae}(1942)
â ââ{console-kit-dae}(1943)
â ââ{console-kit-dae}(1944)
â ââ{console-kit-dae}(1945)
â ââ{console-kit-dae}(1946)
â ââ{console-kit-dae}(1947)
â ââ{console-kit-dae}(3067)
â ââ{console-kit-dae}(3966)
ââcrond(2128)
ââcupsd(2167)
ââdbus-daemon(1820)
ââfreshclam(10243)
ââgpm(2099)
ââhald(1882)âââhald-runner(1948)ââ¬âhald-addon-acpi(2039)
â ââhald-addon-inpu(2116)
ââirqbalance(1743)
ââkerneloops(2137)
ââlogin(2197)âââbash(3968)
ââmingetty(2195)
ââmingetty(2196)
ââmingetty(2198)
ââmingetty(2199)
ââminiserv.pl(2191)
ââpython(2118)ââ¬âopenvpn(2296)âââopenvpn(2299)
â ââpython(2190)
â ââ{python}(3069)
âârpc.idmapd(1806)
âârpc.statd(1768)
âârpcbind(1750)
âârsyslogd(1731)ââ¬â{rsyslogd}(1733)
â ââ{rsyslogd}(1734)
â ââ{rsyslogd}(10556)
ââsshd(2090)ââ¬âsshd(4392)âââbash(4395)âââvi(10343)
â ââsshd(10345)âââbash(10348)
â ââsshd(10554)âââbash(10557)âââpstree(10593)
ââudevd(620)
[root@smartgateway ~]#

It would be easier to make things out if you put it inside code blocks and include just the pertinant section of the output.

Does this part mean that someone logged in through the vpn connection:
Could you look at this part, and post it inside code blocks to preserve the indentation? Also if possible try changing the character encoding of the terminal program, such as konsole, to utf-8 so that the graphic characters are printed.

Also another way to look at the command line is "ps -ef | grep <PID>" where <PID> is the process number. It shows both the PID and the PPID of each process. pstree is easier to read because the indentation and the grouping show the parent-child relationships at a glance.

On google, I found that miniserv.pl is a script that Webmin uses. Are you using webmin? Check your webmin version and what everything, that is a child of the miniserv process, does.
http://secunia.com/advisories/17749/

If these processes and port usages are legit, you found your answer. If not then your work has just begun.

Also another answer to your original question is to run "getent services <port #>".
NMAP also has it's own services file which is where it gets the info it supplies about the ports.

Look at this similar line from one of your previous posts:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 5336 2167/cupsd

This is the web interface for the cups service, you could use to configure your printers.