XPOST: Ports between 59873 and 60000 used by mystery process.

jfroot · 07-28-2008, 01:43 PM

This was originally posted in the Red Hat sub-forum. However I do not think this is a 'Red Hat' issue anymore and something more general.

For some reason I cannot bind any listening process to any port between 59872 and 60001.

I'll use nc for an example:

# nc -l 59872
.. works and listens ...

# nc -l 59873
nc: Address already in use

... < all ports in between> ...

# nc -l 60000
nc: Address already in use

# nc -l 60001
.. works and listens ...

So the obvious thing to check is netstat -nap.. Nothing on any of those ports listed. Next.. lsof.. also shows nothing on those ports listed.

So I thought maybe some trojan has taken over 128 of my ports.. so I ran rkhunter and chkrootkit and they had no results. This box is not even on the net so trojaning is unlikely. And I've never seen or heard of a trojan that takes over 128 ports. But maybe I'm uninformed?

SeLinux is disabled also.

Now I'm at a loss.. does anyone have any ideas? Is it some kernel thing holding onto some high ports for outgoing use?

# cat /proc/sys/net/ipv4/ip_local_port_range
32768 55000
(I lowered it to 55000 just to make sure that wasnt the issue)

BOX is: Red Hat Enterprise Linux Server release 5.1 (Tikanga)
Kernel: 2.6.18-53.1.14.el5 #1 SMP Tue Feb 19 07:18:46 EST 2008 x86_64 x86_64 x86_64 GNU/Linux

Rebooting has no effect, ports are still used. Even un runlevel 1 the ports are used.

unSpawn · 07-28-2008, 01:55 PM

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. This thread is being closed because it is a duplicate of http://www.linuxquestions.org/questi...-60000-658298/.

You're relatively new to LQ so you may not know that by using the report button you can request moving a thread to another forum if you find it would be more appropriate there. So next time please use that procedure. Since your previous thread has replies already which are not completely acted upon (at least not posted back wrt LKML) I would appreciate it if you continue there for the time being, this post will then serve as a redirect there.