Say you’re being a good sysadmin and you’re checking out listeners on your machines:<\/p>\n
\r\nroot@deathstar:~# netstat -pant | grep LISTEN\r\ntcp 0 0 127.0.0.1:873 0.0.0.0:* LISTEN 3947\/rsync \r\ntcp 0 0 0.0.0.0:8649 0.0.0.0:* LISTEN 3826\/gmond \r\ntcp 0 0 192.168.10.122:9102 0.0.0.0:* LISTEN 4167\/bacula-fd \r\ntcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3229\/portmap \r\ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3468\/sshd \r\ntcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3930\/master \r\ntcp 0 0 0.0.0.0:44572 0.0.0.0:* LISTEN - \r\ntcp 0 0 0.0.0.0:34271 0.0.0.0:* LISTEN 3247\/rpc.statd \r\ntcp6 0 0 :::22 :::* LISTEN 3468\/sshd \r\n<\/pre>\nlolwut is listening on 44572 ?<\/p>\n
\r\n lsof -i -n -P | grep 44572\r\n<\/pre>\nreturns nothing! IT MUST BE A ROOTKIT!!eleventy!!! <\/p>\n
Wait – maybe portmapper has assigned it to a kernel-level server?<\/p>\n
\r\nroot@deathstar:~# pmap_dump\r\n 100000 2 tcp 111 portmapper\r\n 100000 2 udp 111 portmapper\r\n 100024 1 udp 44915 status\r\n 100024 1 tcp 34271 status\r\n 100021 1 tcp 44572 nlockmgr\r\n 100021 3 tcp 44572 nlockmgr\r\n 100021 4 tcp 44572 nlockmgr\r\n<\/pre>\nWhew- it’s nlockmgr, part of nfs file locking. <\/p>\n
So the moral of the story – just because netstat can’t determine a program or pid doesn’t mean you’re in trouble. Check portmapper’s assignments via pmap_dump first, as it might be innocuous. <\/p>\n
Apparently netstat can be made aware of portmapper assignments, but it doesn’t appear it is aware of kernel level services – or – it just doesn’t work for me.<\/p>\n","protected":false},"excerpt":{"rendered":"
Say you’re being a good sysadmin and you’re checking out listeners on your machines: root@deathstar:~# netstat -pant | grep LISTEN tcp 0 0 127.0.0.1:873 0.0.0.0:* LISTEN 3947\/rsync tcp 0 0 0.0.0.0:8649 0.0.0.0:* LISTEN 3826\/gmond tcp 0 0 192.168.10.122:9102 0.0.0.0:* LISTEN … Continue reading