Thread: Linux find out program name responsible for opening tcp port

Dear All,

Pl. help me on this,

from 2-3 days i am getting these below Info messages in my apache error logs

[Fri Oct 29 11:40:59 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:00 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:00 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:01 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:01 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:01 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:02 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:02 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:03 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network
[Fri Oct 29 11:41:06 2010] [info] [client 172.32.1.1] (104)Connection reset by peer: core_output_filter: writing data to the network


When trying to restart the apache.... it works and in error logs i get this...


[Fri Oct 29 11:47:31 2010] [notice] caught SIGTERM, shutting down
[Fri Oct 29 11:47:32 2010] [info] mod_unique_id: using ip addr 172.32.5.45
[Fri Oct 29 11:47:33 2010] [info] mod_unique_id: using ip addr 172.32.5.45
[Fri Oct 29 11:47:34 2010] [notice] Apache/2.2.14 (Unix) configured -- resuming normal operations
[Fri Oct 29 11:47:34 2010] [info] Server built: Nov 6 2009 13:48:28



I ran this command to check what programs on which port, in that output i found some thing wearied.

# netstat -tnulp (in this command i am not getting which programs are using these ports... although this works for other programs...)

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:36834 0.0.0.0:* LISTEN -

udp 0 0 0.0.0.0:32768 0.0.0.0:* -
udp 0 0 0.0.0.0:2049 0.0.0.0:* -


Pl. help me on this....

I am feeling my server has some rootkits or hacked....

Regards
manish

Run netstat as root with full path

Code:

/bin/netstat -tulpn

Or use ps aux to find out its pid. Once you got pid, run the following to find out program name

Code:

ls -l /proc/pid-here/exec

You can also use fuser or lsof and other utilities to find info:

Code:

fuser 36834/tcp
fuser 2049/tcp 
fuser 32768/udp 
fuser 2049/udp

Once you got pid for each process run ls command

Code:

ls -l /proc/pid-here/exec

You can also grep it:

Code:

grep port /etc/services

Hi

i used this....

watch -n1 --difference "fuser 36834/tcp; fuser 2049/tcp; fuser 32768/udp; fuser 2049/udp"

in this i find once this below

"cannot stat file /proc/28200/fd/6: No such file or directory"

Can you paste the output of the following command, as watch will not give any info

Code:

fuser 36834/tcp
fuser 2049/tcp 
fuser 32768/udp 
fuser 2049/udp

nothing displaying....


update..... How stupid i am... just i know....

i didn't checked about NFS

2049 is using by NFS