Ping a Specific Port

Question

Wrikken

Asked: 2012-02-02 04:09:44 +0800 CST2012-02-02 04:09:44 +0800 CST 2012-02-02 04:09:44 +0800 CST

Unknown process on port, lsof no help, nfs-kernel-server?

772

During a standard security sweep we found out a something was listening on a port unknown to us, 2030, and we are having trouble determining the source.

# netstat -anp | grep LIST
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
....
tcp        0      0 0.0.0.0:2030            0.0.0.0:*               LISTEN      -

Both without a 'process'. Connecting to it yielded no information (disconnects after input, most likely because an expected protocol isn't followed), lsof -i :2030 also nothing. Just to make sure I copied over a new lsof binary, but I am not sure what extra, possibly compromised, libs it calls. The 2049 I know, which is from the nfs-kernel-server, which behaves the same way (no process information from netstat or lsof). Lo and behold, after restarting the nfs-kernel-server on the debian box, the process listening to 2030 disappeared....

So, my questions:

Should I be worried about a compromised box, or is this indeed an nfs-kernel-server issue?
If this is a nfs-kernel-server issue, what is happening exactly, why can't lsof show this information?

.

Linux 2.6.39-2-686-pae
nfs-kernel-server 1:1.2.3-3
lsof 4.81.dfsg.1-1

2 Answers

Voted

weeheavy · Answer 1 · 2012-02-02T04:25:29+08:00

weeheavy

2012-02-02T04:25:29+08:002012-02-02T04:25:29+08:00

Do you have for e.g. automounted NFS home directories? If yes, these listening ports will disappear some seconds/minutes after every user has logged out.

1

Travis Campbell · Answer 2 · 2012-02-02T08:35:57+08:00

Port 2049 is definitely associated with the in-kernel nfs service. On my system, I have nfsd running.

:;  sudo netstat -anp | grep LIST
tcp        0      0 0.0.0.0:2049                0.0.0.0:*                   LISTEN      -

So, let's see if I'm running the kmod for this:

:;    lsmod | grep nfs
nfsd                  287337  17 
exportfs               38849  1 nfsd
auth_rpcgss            81889  1 nfsd
nfs                   298541  1 
lockd                 101297  3 nfsd,nfs
fscache                52385  1 nfs
nfs_acl                36673  2 nfsd,nfs
sunrpc                200073  19 nfsd,auth_rpcgss,nfs,lockd,nfs_acl

Yup! And now we'll check to see if the kernel threads are up:

:;  ps -aefd | grep nfs
root      3648   171  0  2011 ?        11:46:48 [nfsiod]
root      3882   171  0  2011 ?        00:00:00 [nfsd4]
root      3883     1  0  2011 ?        00:00:00 [nfsd]
root      3884     1  0  2011 ?        00:00:00 [nfsd]
root      3885     1  0  2011 ?        00:00:00 [nfsd]
root      3886     1  0  2011 ?        00:00:00 [nfsd]
root      3887     1  0  2011 ?        00:00:00 [nfsd]
root      3888     1  0  2011 ?        00:00:00 [nfsd]
root      3889     1  0  2011 ?        00:00:00 [nfsd]
root      3890     1  0  2011 ?        00:00:00 [nfsd]

Yup!

So at the very least, you can confirm this way that 2049 is actually NFS.

I don't know what 2030 is.

Unknown process on port, lsof no help, nfs-kernel-server?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?