I often use ‘netstat –tcp -lpn’ to display a list of open ports on a server – so i can check things aren’t listening where they shouldn’t be (e.g. MySQL accepting connections from the world) and so on. Obviously I firewall boxes; but I like to have a reasonable default incase the firewall decides to flush itself randomly or whatever.
Anyway, I ran ‘netstat –tcp -lpn’ and saw something like the following :
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3355/mysqld tcp 0 0 0.0.0.0:54283 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1940/portmap
Now ‘mysqld’ looks OK – and portmap does (well, I need it on this box). But what on earth was listening on port 54283, and why is there no process name/pid attached to it?
After lots of rummaging, and paranoia where I thought perhaps the box had been rooted, I discovered it was from an NFS mount (which explains the lack of a pid, as it’s kernel based).
lsof -i tcp:54283
Didn’t help either. Unmounting the NFS filesystem did identify the problem – and the entry went away.
May be it is root process login as root and execute above command
That doesn’t help; the command(s) were executed as root.
Most people are saying that this is caused by NFS being a kernel module. As such it does not run as a process and there is no process ID. There are probably other kernel modules that use network ports. I have not found a list yet.
http://ubuntuforums.org/showthread.php?t=1914610