[TriLUG] Server Oddness

Jeremy Portzer jeremyp at pobox.com
Fri Jul 2 10:08:38 EDT 2004 

On Fri, 2004-07-02 at 09:52, Jason Purdy wrote:
> John Franklin wrote:
> 
> > Did you try netstat -p?
> 
> I didn't know about that ... I gave it a whirl, but I'm not 
> understanding how that shows the affiliation w/ the port #.
> 
> The active sockets part of that display doesn't show the port # ... i.e.:
> 
> Proto RefCnt Flags Type    State     I-Node PID/Program name    Path
> unix  29     [ ]   DGRAM             221    209/syslogd         /dev/log
> unix  2      [ ]   DGRAM             21683  3686/local
> unix  2      [ ]   DGRAM             21631  3675/local
> unix  3      [ ]   STREAM  CONNECTED 21565  1003/trivial-rewrit 
> private/rewrite

Those are unix sockets, not TCP ports.

I usually use "netstat -tnpl" to show listening sockets.  See netstat's
man page, but "-t" means TCP only, "-n" means don't resolve IPs or port
numbers into names, "-p" means show process ID, "-l" means show
listening sockets only.

Here's an example from my workstation:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address        
State       PID/Program name
tcp        0      0 0.0.0.0:32768           0.0.0.0:*              
LISTEN      2305/rpc.statd
tcp        0      0 127.0.0.1:783           0.0.0.0:*              
LISTEN      25960/spamd -d -c -
tcp        0      0 0.0.0.0:111             0.0.0.0:*              
LISTEN      2286/portmap
tcp        0      0 0.0.0.0:6000            0.0.0.0:*              
LISTEN      2720/X
tcp        0      0 0.0.0.0:22              0.0.0.0:*              
LISTEN      2429/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*              
LISTEN      22707/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*              
LISTEN      2452/sendmail: acce

Note how the PID is right before the slash in the last column.

Also note that if you've been rooted, netstat has most likely been
replaced from a rootkit.  So you should copy a known good copy of
netstat from another machine and run the good copy.  This won't help
though if the rootkit is smart enough to intercept the system calls to
hide itself, however.

--Jeremy

-- 
/---------------------------------------------------------------------\
| Jeremy Portzer        jeremyp at pobox.com      trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040702/0fe503cd/attachment.pgp>

More information about the TriLUG mailing list