[SOLVED] cannot identify process associated with open port
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to understand why a port is kept open on my linux server, but I cannot associate it with any process whatsoever, so I'm not really sure what is running there.
netstat -tulpn shows:
That's not the issue. Everything is run as root. Otherwise I wouldn't have seen most (if any) of the processes that are already displayed by netstat.
Telnetting to 33855 does work, but I'm not sure what it expects.
PID of the process would probably have been all I wanted, but lsof doesn't show anything at all related to these two ports. Only ss and netstat do.
I should also mention that this is also the behaviour of docker swarm when you initiate it. No related process is being shown, but I know the port pops up in netstat/ss. In that case, of course, it's easy to trace it back to swarm, because it's a known port.
This is what I've got based on the link you've shared.
find -inum 14772
Quote:
ls -li /usr/share/man/man2/ustat.2.gz
14772 -rw-r--r-- 1 root root 1800 Feb 15 2016 /usr/share/man/man2/ustat.2.gz
Quote:
root@prod-postgresql:~# ls -li /sys/devices/virtual/tty/tty58/dev
14772 -r--r--r-- 1 root root 4096 Feb 26 16:10 /sys/devices/virtual/tty/tty58/dev
I'm also a little bit suspscious of the fact that something has opened a sort of running service there and it's listening to. Now I'm thinking of some kind of malware, I'm not sure.
If I connect through telnet to the port, I get this:
Code:
Feb 26 16:39:01 vm1010798 kernel: [8494225.482696] RPC: fragment too large: 218762506
Feb 26 16:39:05 vm1010798 kernel: [8494229.126107] RPC: fragment too large: 218762506
Feb 26 16:39:10 vm1010798 kernel: [8494234.076411] RPC: fragment too large: 218762506
Feb 26 16:39:16 vm1010798 kernel: [8494240.059684] RPC: fragment too large: 1634929930
So it's seems to be related to the NFS client installed on the server. I'm not sure why it's listening on that port, but never mind. It's quite clear, I guess.
Yes. I get one of these records from "netstat -anp" and it's related to running the nfs-server service. "nmap" sees it and stopping the service makes the port use go away. Not sure about the other one I'm seeing but nmap's not seeing. I'm assuming it's something similar at play so my hair's not on fire.
This is the sort of thing that would have driven the security compliance team I worked with some years ago right up the wall. (The electrical power generation industry gets a little testy about port use they cannot attribute to software that should be running on systems.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
