Listening on "mysterious" ports

Hi,

I just tried a port scan on one of my machines (Ubuntu desktop, but
working as a file server (Samba) inside my home LAN), and am
surprised and worried to see that it is listening on ports 48038 and
50075.

Rings a bell to anyone? Any familiar rootkits / backdoors?

netstat -p -l | egrep "48038|50075" does not report a PID for port
48038 --- 50075 corresponds to rpc.statd, which I guess is related
to samba server? (my question is: why?) --- oh, here's the
exact output:

tcp 0 0 *:48038 *:*
LISTEN -
tcp 0 0 *:50075 *:*
LISTEN 5622/rpc.statd

A Google search returns nothing about malware using these
ports. Anyone?

Thanks,

Carlos
--

On Mon, 25 May 2009 08:02:12 -0400, Carlos Moreno <cm_news RemoveThis @mailinator.com> wrote:

> netstat -p -l | egrep "48038|50075" does not report a PID for port
> 48038 --- 50075 corresponds to rpc.statd, which I guess is related

On my mandriva 2009.1 system, I have two ports which do not show
a program in netstat -tapn, and do not show up in
"lsof -n|grep -i tcp|grep $portnumber".

Process of elimination (checking after stopping each daemon) shows
that they belong to smb-server and lm-sensors.

My guess, is that the ports are opened by kernel modules, not
regular processes, so there is no program name associated with
them. The one for lm-sensors is consistently tcp port 2049,
while the one for nfs-server changes each time the service is
restarted.

This is normal. It would be nice if it were easier to figure
out which service these ports are being used for, and what
they are being used to do, but if you can confirm which service
they are for, it cuts down the worrying, as you can always
check the code, to see what it's being used for.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)