SUMMARY: unknown listeners on high ports (solaris 2.4 and 2.5)

From: Brad Burdick [UUcom] (bburdick@radio.com)
Date: Fri May 24 1996 - 12:34:41 CDT


thanks to all for the help. the ports in question (3277[1-9]) are various
rpc services. this was my first guess, but i didn't know about rpcinfo and
other useful tools to confirm this. man -k rpc should have been my first
check.

i had actually tried lsof, but a version built under 2.4 that would not work.
a current copy of lsof src can be found at:

  ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/

original question:

> we are seeing some processes listening on ports 3277[1-9] under solaris
> 2.4 and 2.5. i haven't been able to find a reference to any standard
> solaris apps that would be listening on those ports.
>
> anyone know what these might be?

responses from:

"Mike D. Kail" <mdkail@fv.com>

do a 'netstat -f inet' and i'll bet that you'll see something like...

machine.32771 foobar.telnet 8760 0 8760 0 ESTABLISHED

 **********

Mike Fletcher <fletch@ain.bls.com>

        Not a direct answer, but if you get lsof (Archie should
find it) it'll show what processes have what files open. You could
use that to figure out what processes have those sockets.

 **********

Todd Michael Kennedy <tkennedy@phoenix.csc.calpoly.edu>

It could be FTP. I've also seen RPC traffic going through high number
ports... You might want to fetch a copy of 'lsof.' You can give it a
port number and it will tell you the process that opened it. Very
helpful.

For example, on one of our Solaris 2.4 machines here...

% nestat -n | grep 3277[1-9]
129.65.97.100.55687 129.65.97.100.32771 8192 0 8192 0 TIME_WAIT
129.65.97.100.55693 129.65.97.100.32771 8192 0 8192 0 TIME_WAIT

% lsof -i :32771
COMMAND PID USER FD TYPE DEVICE SIZE/OFF INODE NAME
rpcbind 146 root 5u inet 0xfc10d898 0t0 UDP *:32771
ypserv 167 root 5u inet 0xfc10d048 0t0 TCP *:32771

 **********

Kevin.Sheehan@uniq.com.au (Kevin Sheehan {Consulting Poster Child})

RPC services - look with rpcinfo and you'll notice they are probably
registered services of some kind.
>
> # ndd /dev/tcp tcp_status | grep 3277
> f113b070 0.0.0.0 80956906 80956905 0 0 0 0 500 536 [32771, 0] TCP_LISTEN
> f0b76290 0.0.0.0 84705001 84705000 0 0 0 0 500 536 [32776, 0] TCP_LISTEN

 **********

Casper Dik <casper@holland.Sun.COM>

Try "rpcinfo -p | grep tcp"

-- 
Brad Burdick                                      bburdick@radio.com
Internet Multicasting Service, NPB, Suite 1155, Washington, DC 20045
                Under contract from UUcom, Inc.



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:00 CDT