[plug] Strange process listening on random ports
Alexander Hartner
alex at j2anywhere.com
Tue Jun 4 04:53:58 UTC 2013
Never mind me. The process listening on this port is related to NFS / Automount. Running rpcinfo -p showed that process to be nlockmgr.
Now I just have to figure out how to stop it from changing ports all the time.
Alex
On 04/06/2013, at 12:44 PM, Alexander Hartner <alex at j2anywhere.com> wrote:
> Hi all,
>
> I am currently investigating a rather strange issue where every couple of minute a new port is being listened on. To trace this issue I created a quick shell script to dump me all processes and their open ports to a file:
>
> #!/bin/bash
> echo "==============================================" >> /tmp/traceports.log
> date >> /tmp/traceports.log
> echo "==============================================" >> /tmp/traceports.log
> /usr/sbin/lsof -i -P >> /tmp/traceports.log
> echo "==============================================" >> /tmp/traceports.log
> netstat -tulpn >> /tmp/traceports.log
> echo "==============================================" >> /tmp/traceports.log
> echo "Done" >> /tmp/traceports.log
>
> At on point for example port 36281 was listened on. However the output from the log file didn't provide much insight into the source or purpose. LSOF didn't even list this port / process while NETSTAT indicated that the process was "-" (tcp 0 0 0.0.0.0:36281 0.0.0.0:* LISTEN - )
>
> Any idea how I can investigate this further and isolate the process or application which is listening on these ports.
>
> Thanks in advance for any pointers.
> Alex
>
> ==============================================
> Tue Jun 4 04:40:02 UTC 2013
> ==============================================
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
> master 1119 root 12u IPv4 11310 0t0 TCP localhost:25 (LISTEN)
> master 1119 root 13u IPv6 11312 0t0 TCP localhost:25 (LISTEN)
> rpcbind 3402 rpc 8u IPv4 33084 0t0 UDP *:111
> rpcbind 3402 rpc 9u IPv4 33088 0t0 UDP *:609
> rpcbind 3402 rpc 10u IPv4 33089 0t0 TCP *:111 (LISTEN)
> rpcbind 3402 rpc 11u IPv6 33091 0t0 UDP *:111
> rpcbind 3402 rpc 12u IPv6 33093 0t0 UDP *:609
> rpcbind 3402 rpc 13u IPv6 33094 0t0 TCP *:111 (LISTEN)
> rpc.statd 4050 rpcuser 5u IPv4 42097 0t0 UDP *:834
> rpc.statd 4050 rpcuser 8u IPv4 42104 0t0 UDP *:38979
> rpc.statd 4050 rpcuser 9u IPv4 42108 0t0 TCP *:48234 (LISTEN)
> rpc.statd 4050 rpcuser 10u IPv6 42112 0t0 UDP *:42649
> rpc.statd 4050 rpcuser 11u IPv6 42116 0t0 TCP *:34077 (LISTEN)
> sshd 4315 root 3u IPv4 45281 0t0 TCP *:22 (LISTEN)
> sshd 4315 root 4u IPv6 45283 0t0 TCP *:22 (LISTEN)
> ntpd 4447 ntp 16u IPv4 45597 0t0 UDP *:123
> ntpd 4447 ntp 17u IPv6 45598 0t0 UDP *:123
> ntpd 4447 ntp 18u IPv6 45602 0t0 UDP localhost:123
> ntpd 4447 ntp 19u IPv6 45603 0t0 UDP [fe80::5477:49ff:fe7d:d451]:123
> ntpd 4447 ntp 20u IPv4 45604 0t0 UDP localhost:123
> ntpd 4447 ntp 21u IPv4 45605 0t0 UDP th-dc03-con01.one.local:123
> osad 4487 root 3u IPv4 45703 0t0 TCP th-dc03-con01.one.local:52769->th-dc03-space01.one.local:5222 (ESTABLISHED)
> sshd 7216 root 3u IPv4 20723320 0t0 TCP th-dc03-con01.one.local:22->10.104.97.54:34982 (ESTABLISHED)
> sshd 7218 ahartner 3u IPv4 20723320 0t0 TCP th-dc03-con01.one.local:22->10.104.97.54:34982 (ESTABLISHED)
> zabbix_ag 19024 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19024 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19025 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19025 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19026 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19026 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19027 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19027 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19028 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19028 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19029 zabbix 4u IPv4 1169196 0t0 TCP *:10050 (LISTEN)
> zabbix_ag 19029 zabbix 8u IPv6 1169197 0t0 TCP *:10050 (LISTEN)
> java 20573 lpm 10u IPv6 15562206 0t0 TCP *:48082 (LISTEN)
> java 20573 lpm 11u IPv6 15562353 0t0 TCP *:48081 (LISTEN)
> java 20573 lpm 12u IPv6 16327122 0t0 TCP localhost:48081->localhost:52568 (ESTABLISHED)
> java 20573 lpm 14u IPv6 15562358 0t0 TCP *:5435 (LISTEN)
> java 20573 lpm 20u IPv6 16327138 0t0 TCP localhost:48081->localhost:52569 (ESTABLISHED)
> java 20573 lpm 21u IPv6 16327149 0t0 TCP localhost:48081->localhost:52570 (ESTABLISHED)
> java 20582 lpm 40u IPv6 15562469 0t0 TCP *:8080 (LISTEN)
> java 20582 lpm 41u IPv6 15562476 0t0 TCP *:8443 (LISTEN)
> java 20582 lpm 42u IPv6 16327137 0t0 TCP localhost:52569->localhost:48081 (ESTABLISHED)
> java 20582 lpm 87u IPv6 16327121 0t0 TCP localhost:52568->localhost:48081 (ESTABLISHED)
> java 20582 lpm 88u IPv6 16327148 0t0 TCP localhost:52570->localhost:48081 (ESTABLISHED)
> java 20582 lpm 92u IPv6 17443300 0t0 TCP th-dc03-con01.one.local:33654->10.103.45.97:8443 (CLOSE_WAIT)
> java 20582 lpm 96u IPv6 17443330 0t0 TCP th-dc03-con01.one.local:35346->10.103.45.105:8443 (CLOSE_WAIT)
> java 20582 lpm 99u IPv6 17443309 0t0 TCP th-dc03-con01.one.local:36762->10.103.45.102:8443 (CLOSE_WAIT)
> java 20582 lpm 101u IPv6 17443310 0t0 TCP th-dc03-con01.one.local:36763->10.103.45.102:8443 (CLOSE_WAIT)
> java 20582 lpm 103u IPv6 17443312 0t0 TCP th-dc03-con01.one.local:51976->10.103.45.99:8443 (CLOSE_WAIT)
> java 20582 lpm 105u IPv6 17443314 0t0 TCP th-dc03-con01.one.local:51977->10.103.45.99:8443 (CLOSE_WAIT)
> java 20582 lpm 109u IPv6 17443320 0t0 TCP th-dc03-con01.one.local:52449->10.103.45.103:8443 (CLOSE_WAIT)
> java 20582 lpm 114u IPv6 17443325 0t0 TCP th-dc03-con01.one.local:44779->10.103.45.104:8443 (CLOSE_WAIT)
> java 20582 lpm 115u IPv6 17443326 0t0 TCP th-dc03-con01.one.local:44780->10.103.45.104:8443 (CLOSE_WAIT)
> java 20582 lpm 117u IPv6 17443328 0t0 TCP th-dc03-con01.one.local:35345->10.103.45.105:8443 (CLOSE_WAIT)
> .vasd 22532 daemon 14u IPv4 20755165 0t0 TCP th-dc03-con01.one.local:49161->th-dc03-ad02.one.local:389 (ESTABLISHED)
> ossec-age 29917 ossec 16u IPv4 1505336 0t0 UDP th-dc03-con01.one.local:48001->th-dc03-hids01.one.local:1514
> ==============================================
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3402/rpcbind
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4315/sshd
> tcp 0 0 0.0.0.0:36281 0.0.0.0:* LISTEN -
> tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1119/master
> tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 19024/zabbix_agentd
> tcp 0 0 0.0.0.0:48234 0.0.0.0:* LISTEN 4050/rpc.statd
> tcp 0 0 :::111 :::* LISTEN 3402/rpcbind
> tcp 0 0 :::8080 :::* LISTEN 20582/java
> tcp 0 0 :::48081 :::* LISTEN 20573/java
> tcp 0 0 :::48082 :::* LISTEN 20573/java
> tcp 0 0 :::22 :::* LISTEN 4315/sshd
> tcp 0 0 ::1:25 :::* LISTEN 1119/master
> tcp 0 0 :::35675 :::* LISTEN -
> tcp 0 0 :::8443 :::* LISTEN 20582/java
> tcp 0 0 :::5435 :::* LISTEN 20573/java
> tcp 0 0 :::34077 :::* LISTEN 4050/rpc.statd
> tcp 0 0 :::10050 :::* LISTEN 19024/zabbix_agentd
> udp 0 0 0.0.0.0:111 0.0.0.0:* 3402/rpcbind
> udp 0 0 10.103.20.29:123 0.0.0.0:* 4447/ntpd
> udp 0 0 127.0.0.1:123 0.0.0.0:* 4447/ntpd
> udp 0 0 0.0.0.0:123 0.0.0.0:* 4447/ntpd
> udp 0 0 0.0.0.0:834 0.0.0.0:* 4050/rpc.statd
> udp 0 0 0.0.0.0:38979 0.0.0.0:* 4050/rpc.statd
> udp 0 0 0.0.0.0:42334 0.0.0.0:* -
> udp 0 0 0.0.0.0:609 0.0.0.0:* 3402/rpcbind
> udp 0 0 :::111 :::* 3402/rpcbind
> udp 0 0 fe80::5477:49ff:fe7d:d45:123 :::* 4447/ntpd
> udp 0 0 ::1:123 :::* 4447/ntpd
> udp 0 0 :::123 :::* 4447/ntpd
> udp 0 0 :::42649 :::* 4050/rpc.statd
> udp 0 0 :::45386 :::* -
> udp 0 0 :::609 :::* 3402/rpcbind
> ==============================================
> Done
> [root@
>
>
>
>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://lists.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.org.au
> PLUG Membership: http://www.plug.org.au/membership
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20130604/f6345c21/attachment.html>
More information about the plug
mailing list