LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-10-2010, 06:59 PM   #1
Winanjaya
Member
 
Registered: Sep 2003
Posts: 239

Rep: Reputation: 32
Question how do I know whose ports are they belong to?


Hello All,

when running nmap localhost (see below) .. I got unknown ports .. how do I know whose ports are they belong to? and how to close them?

please advise

thanks & regards
Winanjaya



[root@smartgateway ~]# nmap localhost

Starting Nmap 4.68 ( http://nmap.org ) at 2010-02-10 13:50 WIT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1705 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
631/tcp open ipp
904/tcp open unknown
905/tcp open unknown
906/tcp open unknown
907/tcp open unknown
908/tcp open unknown
909/tcp open unknown
10000/tcp open snet-sensor-mgmt
 
Old 02-10-2010, 07:21 PM   #2
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Tweed Heads, Australia
Distribution: Devuan
Posts: 3,522
Blog Entries: 33

Rep: Reputation: 265Reputation: 265Reputation: 265
Hi, there is a text file /etc/services

that shows the usual/default port numbers and what they're used for.

open it in an editor, or use cat from a shell.

cat /etc/services

cheers, Glenn
 
Old 02-10-2010, 07:59 PM   #3
Winanjaya
Member
 
Registered: Sep 2003
Posts: 239

Original Poster
Rep: Reputation: 32
I checked on /etc/services .. and I didnot find them(904 to 909)

please help

thanks & regards
 
Old 02-10-2010, 10:53 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Doing a simple netstat will show you which processes are listening on those ports:
Code:
netstat -pante | grep LISTEN
It'll also give you the owner's UID for each one.

The easiest way to close the ports would be to stop the relevant services.
 
Old 02-10-2010, 11:05 PM   #5
Winanjaya
Member
 
Registered: Sep 2003
Posts: 239

Original Poster
Rep: Reputation: 32
I ran it .. how to remove it? ..I don't know python? ..strange?

[root@smartgateway ~]# netstat -pante | grep LISTEN
tcp 0 0 0.0.0.0:59239 0.0.0.0:* LISTEN 0 3722 1768/rpc.statd
tcp 0 0 127.0.0.1:904 0.0.0.0:* LISTEN 0 5681 2190/python
tcp 0 0 127.0.0.1:905 0.0.0.0:* LISTEN 0 5682 2190/python
tcp 0 0 127.0.0.1:906 0.0.0.0:* LISTEN 0 5683 2190/python
tcp 0 0 127.0.0.1:907 0.0.0.0:* LISTEN 0 5684 2190/python
tcp 0 0 127.0.0.1:908 0.0.0.0:* LISTEN 0 5685 2190/python
tcp 0 0 127.0.0.1:909 0.0.0.0:* LISTEN 0 5686 2190/python
tcp 0 0 172.16.1.31:4430 0.0.0.0:* LISTEN 0 5834 2296/openvpn
tcp 0 0 172.16.1.31:943 0.0.0.0:* LISTEN 0 5679 2190/python
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 3566 1750/rpcbind
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 0 5461 2191/perl
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 4673 2090/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 5336 2167/cupsd
tcp 0 0 :::111 :::* LISTEN 0 3571 1750/rpcbind
tcp 0 0 :::22 :::* LISTEN 0 4675 2090/sshd
 
Old 02-10-2010, 11:08 PM   #6
GlennsPref
Senior Member
 
Registered: Apr 2004
Location: Tweed Heads, Australia
Distribution: Devuan
Posts: 3,522
Blog Entries: 33

Rep: Reputation: 265Reputation: 265Reputation: 265
Hi, they are not in numerical order, as such.

But, you're right, they are not listed.

Quote:
904/tcp open unknown
905/tcp open unknown
906/tcp open unknown
907/tcp open unknown
908/tcp open unknown
909/tcp open unknown
I'm very interested to see this, so I have done a quick search and found only some info.

ref. http://en.wikipedia.org/wiki/List_of...P_port_numbers
Quote:
904/TCP VMware Server Alternate (if 902 is in use, i.e. SUSE linux) Unofficial
ref. http://www.forums.speedguide.net/port.php?port=904
Quote:
904-909 tcp,udp Unassigned IANA
Port 5680 Details

known port assignments
threat/application/port search:
search
Port(s) Protocol Service Details Source
5680 tcp,udp auriga-router Auriga Router Service IANA
5680 tcp canna Canna (Japanese Input) SANS
5680 tcp canna Canna (Japanese Input) Nmap
5500-5699 tcp applications MOHAA Reverend Portforward
If you do not use vmware, you should probably close the ports with your firewall manager.

Last edited by GlennsPref; 02-10-2010 at 11:14 PM.
 
Old 02-10-2010, 11:36 PM   #7
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,307

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
You could check the pids to see what 'user' is using them...
Incidentally, they're all on the loopback interface
 
Old 02-10-2010, 11:47 PM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
You could use "pstree -p" to see which command you might be running that spawned other python processes.
The output will look like this:
Code:
...
─kdeinit4(30775)─┬─firefox(12186)───firefox(12191)─┬─kmozillahelper(12215)───{kmozillahelper}(11601)
        │                 │                                 ├─npviewer.bin(25234)─┬─{npviewer.bin}(11435)    
        │                 │                                 │                     ├─{npviewer.bin}(11436)    
        │                 │                                 │                     ├─{npviewer.bin}(11437)    
        │                 │                                 │                     └─{npviewer.bin}(11438)
...
Since the process names are simply python, they are probably scripts that are started like "pythonl name" instead of running the scripts directly. So you can learn more by printing the command lines.
Here is an example looking at the command line that called PID 11435 above:
Code:
tr '\0' ' ' </proc/11435/cmdline
/usr/lib/nspluginwrapper/i386/linux/npviewer.bin --plugin /usr/lib/browser-plugins/libflashplayer.so --connection /org/wrapper/NSPlugins/libflashplayer.so/12191-1
The tr command replaces NULLS separating arguments to spaces.

Last edited by jschiwal; 02-11-2010 at 04:24 AM. Reason: python -> perl
 
1 members found this post helpful.
Old 02-11-2010, 01:40 AM   #9
Winanjaya
Member
 
Registered: Sep 2003
Posts: 239

Original Poster
Rep: Reputation: 32
Hi I got below, and there is nothing shown 904-909 ??

login as: root
root@172.16.1.31's password:
Last login: Thu Feb 11 14:11:59 2010 from 172.16.1.77
[root@smartgateway ~]# pstree -p
init(1)‚‚¨‚acpid(1874)
‚‚atd(2148)
‚‚auditd(1706)‚‚¨‚audispd(1708)‚‚‚{audispd}(1709)
‚ ‚‚{auditd}(1707)
‚‚avahi-daemon(2157)‚‚‚avahi-daemon(2158)
‚‚bluetoothd(2024)
‚‚clamd(10235)‚‚‚{clamd}(10236)
‚‚console-kit-dae(1885)‚‚¨‚{console-kit-dae}(1886)
‚ ‚‚{console-kit-dae}(1888)
‚ ‚‚{console-kit-dae}(1889)
‚ ‚‚{console-kit-dae}(1890)
‚ ‚‚{console-kit-dae}(1891)
‚ ‚‚{console-kit-dae}(1893)
‚ ‚‚{console-kit-dae}(1894)
‚ ‚‚{console-kit-dae}(1895)
‚ ‚‚{console-kit-dae}(1896)
‚ ‚‚{console-kit-dae}(1897)
‚ ‚‚{console-kit-dae}(1898)
‚ ‚‚{console-kit-dae}(1899)
‚ ‚‚{console-kit-dae}(1900)
‚ ‚‚{console-kit-dae}(1901)
‚ ‚‚{console-kit-dae}(1902)
‚ ‚‚{console-kit-dae}(1903)
‚ ‚‚{console-kit-dae}(1904)
‚ ‚‚{console-kit-dae}(1905)
‚ ‚‚{console-kit-dae}(1906)
‚ ‚‚{console-kit-dae}(1907)
‚ ‚‚{console-kit-dae}(1908)
‚ ‚‚{console-kit-dae}(1909)
‚ ‚‚{console-kit-dae}(1910)
‚ ‚‚{console-kit-dae}(1911)
‚ ‚‚{console-kit-dae}(1912)
‚ ‚‚{console-kit-dae}(1913)
‚ ‚‚{console-kit-dae}(1914)
‚ ‚‚{console-kit-dae}(1915)
‚ ‚‚{console-kit-dae}(1916)
‚ ‚‚{console-kit-dae}(1917)
‚ ‚‚{console-kit-dae}(1918)
‚ ‚‚{console-kit-dae}(1919)
‚ ‚‚{console-kit-dae}(1920)
‚ ‚‚{console-kit-dae}(1921)
‚ ‚‚{console-kit-dae}(1922)
‚ ‚‚{console-kit-dae}(1923)
‚ ‚‚{console-kit-dae}(1924)
‚ ‚‚{console-kit-dae}(1925)
‚ ‚‚{console-kit-dae}(1926)
‚ ‚‚{console-kit-dae}(1927)
‚ ‚‚{console-kit-dae}(1928)
‚ ‚‚{console-kit-dae}(1929)
‚ ‚‚{console-kit-dae}(1930)
‚ ‚‚{console-kit-dae}(1931)
‚ ‚‚{console-kit-dae}(1932)
‚ ‚‚{console-kit-dae}(1933)
‚ ‚‚{console-kit-dae}(1934)
‚ ‚‚{console-kit-dae}(1935)
‚ ‚‚{console-kit-dae}(1936)
‚ ‚‚{console-kit-dae}(1937)
‚ ‚‚{console-kit-dae}(1938)
‚ ‚‚{console-kit-dae}(1939)
‚ ‚‚{console-kit-dae}(1940)
‚ ‚‚{console-kit-dae}(1941)
‚ ‚‚{console-kit-dae}(1942)
‚ ‚‚{console-kit-dae}(1943)
‚ ‚‚{console-kit-dae}(1944)
‚ ‚‚{console-kit-dae}(1945)
‚ ‚‚{console-kit-dae}(1946)
‚ ‚‚{console-kit-dae}(1947)
‚ ‚‚{console-kit-dae}(3067)
‚ ‚‚{console-kit-dae}(3966)
‚‚crond(2128)
‚‚cupsd(2167)
‚‚dbus-daemon(1820)
‚‚freshclam(10243)
‚‚gpm(2099)
‚‚hald(1882)‚‚‚hald-runner(1948)‚‚¨‚hald-addon-acpi(2039)
‚ ‚‚hald-addon-inpu(2116)
‚‚irqbalance(1743)
‚‚kerneloops(2137)
‚‚login(2197)‚‚‚bash(3968)
‚‚mingetty(2195)
‚‚mingetty(2196)
‚‚mingetty(2198)
‚‚mingetty(2199)
‚‚miniserv.pl(2191)
‚‚python(2118)‚‚¨‚openvpn(2296)‚‚‚openvpn(2299)
‚ ‚‚python(2190)
‚ ‚‚{python}(3069)
‚‚rpc.idmapd(1806)
‚‚rpc.statd(1768)
‚‚rpcbind(1750)
‚‚rsyslogd(1731)‚‚¨‚{rsyslogd}(1733)
‚ ‚‚{rsyslogd}(1734)
‚ ‚‚{rsyslogd}(10556)
‚‚sshd(2090)‚‚¨‚sshd(4392)‚‚‚bash(4395)‚‚‚vi(10343)
‚ ‚‚sshd(10345)‚‚‚bash(10348)
‚ ‚‚sshd(10554)‚‚‚bash(10557)‚‚‚pstree(10593)
‚‚udevd(620)
[root@smartgateway ~]#
 
Old 02-11-2010, 04:20 AM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681Reputation: 681
It would be easier to make things out if you put it inside code blocks and include just the pertinant section of the output.

Does this part mean that someone logged in through the vpn connection:
Code:
‚‚mingetty(2199)
 ‚‚miniserv.pl(2191)
 ‚‚python(2118)‚‚¨‚openvpn(2296)‚‚‚openvpn(2299)
 ‚ ‚‚python(2190)
Could you look at this part, and post it inside code blocks to preserve the indentation? Also if possible try changing the character encoding of the terminal program, such as konsole, to utf-8 so that the graphic characters are printed.

Also another way to look at the command line is "ps -ef | grep <PID>" where <PID> is the process number. It shows both the PID and the PPID of each process. pstree is easier to read because the indentation and the grouping show the parent-child relationships at a glance.

On google, I found that miniserv.pl is a script that Webmin uses. Are you using webmin? Check your webmin version and what everything, that is a child of the miniserv process, does.
http://secunia.com/advisories/17749/

If these processes and port usages are legit, you found your answer. If not then your work has just begun.

Also another answer to your original question is to run "getent services <port #>".
NMAP also has it's own services file which is where it gets the info it supplies about the ports.

Look at this similar line from one of your previous posts:
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 5336 2167/cupsd

This is the web interface for the cups service, you could use to configure your printers.

Last edited by jschiwal; 02-11-2010 at 04:43 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
does this question belong here? usrlinux Linux - Newbie 6 03-19-2007 06:22 AM
OS X doesn't belong here. jens Other *NIX 26 09-24-2004 07:05 PM
How many belong to a LUG?? eskiled General 7 09-20-2004 06:47 PM
this doesn;t belong anywhere else, i figured ... h/w Programming 11 01-25-2004 03:52 PM
Can a file belong to more than one group? lostboy Linux - General 2 11-08-2003 11:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration