I often use ‘netstat –tcp -lpn’ to display a list of open ports on a server – so i can check things aren’t listening where they shouldn’t be (e.g. MySQL accepting connections from the world) and so on. Obviously I firewall boxes; but I like to have a reasonable default incase the firewall decides to flush itself randomly or whatever.
Anyway, I ran ‘netstat –tcp -lpn’ and saw something like the following :
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3355/mysqld tcp 0 0 0.0.0.0:54283 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1940/portmap
Now ‘mysqld’ looks OK – and portmap does (well, I need it on this box). But what on earth was listening on port 54283, and why is there no process name/pid attached to it?
After lots of rummaging, and paranoia where I thought perhaps the box had been rooted, I discovered it was from an NFS mount (which explains the lack of a pid, as it’s kernel based).
lsof -i tcp:54283
Didn’t help either. Unmounting the NFS filesystem did identify the problem – and the entry went away.