Hi... I have a box with something listening to "flickering" ports. nmap reports various random ports open from run to run. I can't telnet to them and ID w/ netstat, because they're gone the instant nmap finds them.
I can't see the culprit in the output of lsof. Does anyone here know what might be going on? If not, I might try writing a simple port scanner which leaves a connection open for netstat to track... TRANSCRIPT FOLLOWS: [EMAIL PROTECTED]:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds [EMAIL PROTECTED]:~$ # everything looks fine [EMAIL PROTECTED]:~$ # all these are normal services, except 8080, which is a port [EMAIL PROTECTED]:~$ # tunnelled by ssh [EMAIL PROTECTED]:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 3920 open tcp unknown 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds [EMAIL PROTECTED]:~$ # XXX something was listening on port 3920 [EMAIL PROTECTED]:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 3537 open tcp unknown 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds [EMAIL PROTECTED]:~$ # XXX now something was listening on port 3537 [EMAIL PROTECTED]:~$ # XXX also note the "Strange read error" [EMAIL PROTECTED]:~$ sudo lsof | gzip -c > lsof.gz # attached [EMAIL PROTECTED]:~$ nmap -p 1-10000 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): Port State Protocol Service 9 open tcp discard 13 open tcp daytime 22 open tcp ssh 25 open tcp smtp 37 open tcp time 80 open tcp http 6000 open tcp X11 8080 open tcp http-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds [EMAIL PROTECTED]:~$ # everything's clear again -- Peter Eckersley http://www.cs.mu.oz.au/~pde ([EMAIL PROTECTED]) TLI: http://www.computerbank.org.au <~~~~.sig temporarily conservative pending divine intervention~~~~> GPG fingerprint: 30BF 6A78 2013 DCFA 5985 E255 9D31 4A9A 7574 65BC
lsof.gz
Description: Binary data
pgpzkWCIADRog.pgp
Description: PGP signature
