[Gllug] listening port not shown in netstat

Julian Somers lists at bigpip.com
Wed Jul 20 14:41:42 UTC 2005 

Hi, 

I have a new Gentoo install here. When I do a port scan with nmap -sS I
get an open port that I didn't ask for:
(The 1660 ports scanned but not shown below are in state: filtered)
PORT     STATE  SERVICE
22/tcp   open   ssh
113/tcp  closed auth
5190/tcp open   aol

I can't see what's listening on 5190:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address State      
tcp        0      0 0.0.0.0:22              0.0.0.0:* LISTEN      
tcp        0    272 x.x.x.x:22        x.x.x.x:63408 ESTABLISHED 
udp        0      0 0.0.0.0:161             0.0.0.0:*                           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  3      [ ]         DGRAM                    5786   /dev/log
unix  3      [ ]         STREAM     CONNECTED     16603  
unix  3      [ ]         STREAM     CONNECTED     16602  
unix  2      [ ]         DGRAM                    6306   

I can't see anything I didn't ask for in ps either.
carp root # ps ax
  PID TTY      STAT   TIME COMMAND
    1 ?        S      0:00 init [3]  
    2 ?        S      0:00 [migration/0]
    3 ?        SN     0:00 [ksoftirqd/0]
    4 ?        S<     0:00 [events/0]
    5 ?        S<     0:00 [khelper]
   10 ?        S<     0:00 [kthread]
   18 ?        S<     0:00 [kacpid]
   97 ?        S<     0:00 [kblockd/0]
  110 ?        S      0:00 [khubd]
  168 ?        S      0:00 [pdflush]
  169 ?        S      0:00 [pdflush]
  171 ?        S<     0:00 [aio/0]
  170 ?        S      0:00 [kswapd0]
  758 ?        S      0:00 [kseriod]
  815 ?        S<     0:00 [ata/0]
  817 ?        S      0:00 [khpsbpkt]
  847 ?        S      0:00 [kjournald]
  976 ?        Ss     0:00 /sbin/devfsd /dev
 5172 ?        S      0:04 [kjournald]
 5864 ?        Ss     0:01 metalog [MASTER]                                        
 5865 ?        S      0:00 metalog [KERNEL]                                        
 6413 ?        Ss     0:00 /usr/sbin/sshd
 6456 ?        Ss     0:00 /usr/sbin/cron
 6473 tty1     Ss+    0:00 /sbin/agetty 38400 tty1 linux
 6475 tty2     Ss+    0:00 /sbin/agetty 38400 tty2 linux
 6476 tty3     Ss+    0:00 /sbin/agetty 38400 tty3 linux
 6477 tty4     Ss+    0:00 /sbin/agetty 38400 tty4 linux
 6478 tty5     Ss+    0:00 /sbin/agetty 38400 tty5 linux
 6480 tty6     Ss+    0:00 /sbin/agetty 38400 tty6 linux
 6481 ?        Ss     0:00 /bin/sh /root/soft-power-button.sh
16572 ?        Ss     0:00 sshd: julian [priv]
16574 ?        S      0:01 sshd: julian at pts/0
16575 pts/0    Ss     0:00 -bash
16579 pts/0    S      0:00 su -
16580 pts/0    S      0:00 -bash
17533 ?        S      0:00 /usr/sbin/snmpd -p /var/run/snmpd.pid
 2550 pts/0    R+     0:00 ps ax

I did the install last week, and its been on my LAN until now. If its been
tampered with, it's from inside my lan :-(

chkrootkit is clean (even after reinstalling ps and netstat)

Am I overlooking something?

thanks for your time, 
Julian

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list