How to get responding processes of those ports?

zkjian · 05-07-2007, 02:13 AM

can anyone tell me how to get the processes which opened the following ports and the files opened by these processes?

------------------------------------------------------------
[root@rac1 ~]# netstat -lnp | grep - | grep :
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:32861 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:6199 0.0.0.0:*
-----------------------------------------------------------

lsof -i | egrep '2049|32861:6199' give me nothing.

thanks

bathory · 05-07-2007, 02:38 AM

You can use:

Code:

netstat -tunapl|grep LISTEN

as well as

Code:

lsof|grep LISTEN

zkjian · 05-07-2007, 05:51 AM

thank you for your kind help, but still no display.

bathory · 05-07-2007, 08:18 AM

That's strange. What distro are you using? What is the output of:

Code:

lsof -i -n -P

zkjian · 05-07-2007, 11:51 PM

RHEL4

[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]# lsof -i -n -P | grep 32800
[root@lb1 ~]# lsof -i -n -P | grep 32770
[root@lb1 ~]# netstat -tunapl | grep LISTEN | grep 32
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
[root@lb1 ~]# netstat -tunapl | grep 32800
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
[root@lb1 ~]# netstat -tunapl | grep 32770
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]# lsof | grep LISTEN | grep 32800

bathory · 05-08-2007, 02:21 AM

It's indeed strange. Here is the output of the same commands in my Slackware box running squid:

Code:

netstat -tunapl | grep 32768
udp        0      0 0.0.0.0:32768           0.0.0.0:*                          1300/(squid)

lsof -i -n -P|grep 32768
squid      1300  squid    5u  IPv4   2353       UDP *:32768

If you suspect something use a live CD to scan your system for rootkits.

zkjian · 05-08-2007, 03:21 AM

not all service will hide his process name/PID,
just some special ones will do that, please see the following
example:

[root@lb1 ~]# /etc/init.d/nfs start
启动 NFS 服务：
[ 确定 ]
关掉 NFS 配额：[ 确定 ]
启动 NFS 守护进程：[ 确定 ]
启动 NFS mountd：[ 确定 ]
[root@lb1 ~]#
[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]#
[root@lb1 ~]# lsof | grep 2049
[root@lb1 ~]#
[root@lb1 ~]# /etc/init.d/nfs stop
关闭 NFS mountd：[ 确定 ]
关闭 NFS 守护进程：[ 确定 ]
关闭 NFS quotas：[ 确定 ]
关闭 NFS 服务： [ 确定 ]
[root@lb1 ~]# netstat -lnp | grep : | grep -
tcp 0 0 0.0.0.0:32800 0.0.0.0:* LISTEN -
udp 0 0 0.0.0.0:32770 0.0.0.0:* -
[root@lb1 ~]#

i know it's certain service related to nfs which opened the port 2049,but i can't get which one(the process/PID) opened the port on
earth.
one of my partners told me it's the kernel which opens those ports
whose process name/PID are identified by -, such as nfs.
what do you think about his words?

bathory · 05-08-2007, 04:49 AM

You're right that nfsd is using those ports. Running

Code:

rpcinfo -p

will verify that these ports are used by nfsd.

Quote:

one of my partners told me it's the kernel which opens those ports
whose process name/PID are identified by -, such as nfs.
what do you think about his words?

You can say this, since nfs support is built in the kernel.