LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   php-cgi using ports in 34xx~59xx range (https://www.linuxquestions.org/questions/linux-security-4/php-cgi-using-ports-in-34xx%7E59xx-range-906958/)

Flowsen 10-07-2011 10:33 AM
php-cgi using ports in 34xx~59xx range
 
Hello,

i was informed from rootkit hunter (rkhunter) that port 47108 is opened by php-cgi.
After investigating I found out, that this was a false positive. The system seems *not* to be infected.

"netstat -anp|grep php-cgi"
shows

Quote:
tcp 0 0 127.0.0.1:44279 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:59826 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:49386 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:44277 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:49388 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:59825 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:49385 127.0.0.1:3306 ESTABLISHED 31746/php-cgi
tcp 0 0 127.0.0.1:44276 127.0.0.1:3306 ESTABLISHED 12511/php-cgi
tcp 0 0 127.0.0.1:59822 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:34342 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
tcp 0 0 127.0.0.1:59820 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:59819 127.0.0.1:3306 ESTABLISHED 31276/php-cgi
tcp 0 0 127.0.0.1:59821 127.0.0.1:3306 ESTABLISHED 31277/php-cgi
tcp 0 0 127.0.0.1:34345 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
tcp 0 0 127.0.0.1:34343 127.0.0.1:3306 ESTABLISHED 14033/php-cgi
and "netstat -anp|grep mysql" shows

Quote:
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44277 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34343 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59819 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34342 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44276 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59825 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59820 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59821 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49385 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59826 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49388 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:59822 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:34345 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:49386 ESTABLISHED 29247/mysqld
tcp 0 0 127.0.0.1:3306 127.0.0.1:44279 ESTABLISHED 29247/mysqld
I am using apache with fcgi and php. It seems that every connection/fcgi process opens an internal port to handle the request and parse the result to apache.

As far as I can see this should be a normal procedure? But can anyone tell me how I can define the dynamic port range to exclude certain ports?

Kind Regards
Flowsen


All times are GMT -5. The time now is 09:24 PM.