Hi...
I have a box with something listening to "flickering" ports. nmap
reports various random ports open from run to run. I can't telnet to
them and ID w/ netstat, because they're gone the instant nmap finds
them.
I can't see the culprit in the output of lsof. Does anyone here know
what might be going on? If not, I might try writing a simple port
scanner which leaves a connection open for netstat to track...
TRANSCRIPT FOLLOWS:
pde@xyz:~$ nmap -p 1-10000 localhost
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
9 open tcp discard
13 open tcp daytime
22 open tcp ssh
25 open tcp smtp
37 open tcp time
80 open tcp http
6000 open tcp X11
8080 open tcp http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds
pde@xyz:~$ # everything looks fine
pde@xyz:~$ # all these are normal services, except 8080, which is a port
pde@xyz:~$ # tunnelled by ssh
pde@xyz:~$ nmap -p 1-10000 localhost
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
9 open tcp discard
13 open tcp daytime
22 open tcp ssh
25 open tcp smtp
37 open tcp time
80 open tcp http
3920 open tcp unknown
6000 open tcp X11
8080 open tcp http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds
pde@xyz:~$ # XXX something was listening on port 3920
pde@xyz:~$ nmap -p 1-10000 localhost
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
9 open tcp discard
13 open tcp daytime
22 open tcp ssh
25 open tcp smtp
37 open tcp time
80 open tcp http
3537 open tcp unknown
6000 open tcp X11
8080 open tcp http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
pde@xyz:~$ # XXX now something was listening on port 3537
pde@xyz:~$ # XXX also note the "Strange read error"
pde@xyz:~$ sudo lsof | gzip -c > lsof.gz # attached
pde@xyz:~$ nmap -p 1-10000 localhost
Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
9 open tcp discard
13 open tcp daytime
22 open tcp ssh
25 open tcp smtp
37 open tcp time
80 open tcp http
6000 open tcp X11
8080 open tcp http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds
pde@xyz:~$ # everything's clear again
--
Peter Eckersley http://www.cs.mu.oz.au/~pde
([EMAIL PROTECTED]) TLI: http://www.computerbank.org.au
<~~~~.sig temporarily conservative pending divine intervention~~~~>
GPG fingerprint: 30BF 6A78 2013 DCFA 5985 E255 9D31 4A9A 7574 65BC
lsof.gz
PGP signature
