The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to identify the service in one port?

Discussion in 'General Discussion' started by minotauro, Mar 6, 2004.

  1. minotauro

    minotauro Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Hello,

    My server crash many times in the last days. I´m found one script (.bs.pl) in /tmp (but my /tmp is noexec). After this, always, same after reboot, i´m see this using netstat -an:

    udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED

    How to identify the service (or script) running in this port? Always the script (after reboot) change the port.

    I´m ran ps -aux but no see not different.

    Thanks,
    Minotauro.
     
  2. casey

    casey Well-Known Member

    Joined:
    Jan 17, 2003
    Messages:
    2,303
    Likes Received:
    0
    Trophy Points:
    36
    Location:
    If there is trouble, it will find me
  3. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    its connection is from localhost to localhost on same port

    Dont look like a exploited machine to me?

    .bs.pl is user nobody?

    if so then been uploaded by a unsecure script but u say /tmp is noexec?

    There no .bash_history in /tmp or any other files that should not be there?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    To find the PID of that has a port open you can do the following:

    fuser 32769/udp

    To tie it into a process,

    ps axf | grep -v grep | grep PID

    Where PID is the result from the fuser.

    Alternatively, issue the following:

    netstat -autpn

    If it keep restarting after a reboot, check the following for changes:

    /etc/rc.d/rc.local
    /etc/inetd.conf
    /etc/xinetd.d/

    Also, if you could display the code of .bp.pl here, it would help. Having noexec on /tmp doesn't help, as all you need to do is:

    perl /tmp/.bp.pl
     
  5. Steve-PWH

    Steve-PWH Well-Known Member

    Joined:
    Jun 30, 2002
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    lil research points to /usr/bin/postmaster as being the user

    Take it u have postgresSQL installed

    If that is the user ur box as not been cracked as someone without any details would say

    Also its not why ur machine is crashing

    What is the contents of .bs.pl?
     
  6. minotauro

    minotauro Well-Known Member

    Joined:
    Jan 19, 2004
    Messages:
    89
    Likes Received:
    0
    Trophy Points:
    6
    Hello casey and Steve-PWH,

    My /tmp is noexec and nosuid. The user only send the script to my server, but don't exec it (no send with nobody because i'm ran suexec and phpsuexec).

    The port is because PG SQL (thanks Steve-PHW), i'm confirm it after ran netstat -anp:

    udp 0 0 127.0.0.1:32769 127.0.0.1:32769 ESTABLISHED 4189/postmaster


    chirpy, thanks by reply, but the port is PG SQL.

    Thanks all by reply! ;)

    Regards,
    Minotauro.
     
Loading...

Share This Page