[TCLUG] What is listening on 6XX ports?

Mon Dec 11 15:19:35 CST 2000

That is how RPC stuff works.  There is one RPC daemon (sunrpc) that is used
to map to the other RPC processes that register with it, thus only one port
"has" to be defined, that for sunrpc, the rest will remain dynamic.

Tom Veldhouse
veldy at veldy.net

----- Original Message -----
From: "Bill Layer" <b.layer at vikingelectronics.com>
To: <tclug-list at lists.real-time.com>
Sent: Monday, December 11, 2000 3:11 PM
Subject: Re: [TCLUG] What is listening on 6XX ports?

> You're really a gem, Ben... not at all an idiot like so many said recently
;)
>
> On Monday 11 December 2000 14:50, you wrote:
>
> > > On Mon, Dec 11, 2000 at 02:42:33PM -0600, Bill Layer wrote:
> > >I'm pretty much out of ideas on this one. Help, anyone?
> >
> > fuser -n tcp <PORTNUMBER>
> > which will give you a pid of a process that's got that port
> > ps uw |grep <PID>
> > will tell you what app it is.
>
> Ok, it's rpc.mountd that has that port-ola. Rpc.mountd is the kernel NFS
> mount daemon. Slack has NFS setup by default, but I don't get why mountd
is
> using a different port on each machine... In any event:
>
> A couple of notes on the technique you described.
>
> 1) The fuser command returns *nothing* in this case, unless run as root.
When
> as root, I get:
>
> root at Billbob_Linux:~# fuser -n tcp 678
> 678/tcp:                75
>
> 2) the ps -uw | grep (PID) returns this line:
>
> root at Billbob_Linux:~# ps uw | grep 75
> root      2027  0.0  0.1  1164  412 pts/1    S    14:58   0:00 grep 75
>
> I don't see a process named here, so I just did ps -e | grep 75 and got:
>
> root at Billbob_Linux:~# ps -e | grep 75
>    75 ?        00:00:00 rpc.mountd
>
> So I guess that is mystery solved, onto new question of why rpc.mountd is
> using random ports in the 6XX range. NFS is also using port 2049 on each
> machine, here is a nmap output:
>
> root at Billbob_Linux:~# nmap localhost
>
> Starting nmap V. 2.53 by fyodor at insecure.org ( www.insecure.org/nmap/ )
> Interesting ports on localhost (127.0.0.1):
> (The 1505 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 23/tcp     open        telnet
> 25/tcp     open        smtp
> 37/tcp     open        time
> 79/tcp     open        finger
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 111/tcp    open        sunrpc
> 113/tcp    open        auth
> 143/tcp    open        imap2
> 513/tcp    open        login
> 514/tcp    open        shell
> 515/tcp    open        printer
> 587/tcp    open        submission
> 678/tcp    open        unknown
> 1024/tcp   open        kdm
> 2049/tcp   open        nfs
> 6000/tcp   open        X11
>
> Web, telnet, ftp, auth are all active on this machine, as I perceive no
> threats on this LAN. Correct me if that is bad thinking.
>
> Thanks again, Ben.
>
> ===
> Bill Layer
> <b.layer at vikingelectronics.com>
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
>