Unknown process on port, lsof no help, nfs-kernel-server?

security port nfs lsof

During a standard security sweep we found out a something was listening on a port unknown to us, 2030, and we are having trouble determining the source.

# netstat -anp | grep LIST
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -
....
tcp        0      0 0.0.0.0:2030            0.0.0.0:*               LISTEN      -

Both without a 'process'. Connecting to it yielded no information (disconnects after input, most likely because an expected protocol isn't followed), lsof -i :2030 also nothing. Just to make sure I copied over a new lsof binary, but I am not sure what extra, possibly compromised, libs it calls. The 2049 I know, which is from the nfs-kernel-server, which behaves the same way (no process information from netstat or lsof). Lo and behold, after restarting the nfs-kernel-server on the debian box, the process listening to 2030 disappeared....

So, my questions:

  1. Should I be worried about a compromised box, or is this indeed an nfs-kernel-server issue?
  2. If this is a nfs-kernel-server issue, what is happening exactly, why can't lsof show this information?

.

Linux 2.6.39-2-686-pae
nfs-kernel-server 1:1.2.3-3
lsof 4.81.dfsg.1-1

Do you have for e.g. automounted NFS home directories? If yes, these listening ports will disappear some seconds/minutes after every user has logged out.


Port 2049 is definitely associated with the in-kernel nfs service. On my system, I have nfsd running.

:;  sudo netstat -anp | grep LIST
tcp        0      0 0.0.0.0:2049                0.0.0.0:*                   LISTEN      -

So, let's see if I'm running the kmod for this:

:;    lsmod | grep nfs
nfsd                  287337  17 
exportfs               38849  1 nfsd
auth_rpcgss            81889  1 nfsd
nfs                   298541  1 
lockd                 101297  3 nfsd,nfs
fscache                52385  1 nfs
nfs_acl                36673  2 nfsd,nfs
sunrpc                200073  19 nfsd,auth_rpcgss,nfs,lockd,nfs_acl

Yup! And now we'll check to see if the kernel threads are up:

:;  ps -aefd | grep nfs
root      3648   171  0  2011 ?        11:46:48 [nfsiod]
root      3882   171  0  2011 ?        00:00:00 [nfsd4]
root      3883     1  0  2011 ?        00:00:00 [nfsd]
root      3884     1  0  2011 ?        00:00:00 [nfsd]
root      3885     1  0  2011 ?        00:00:00 [nfsd]
root      3886     1  0  2011 ?        00:00:00 [nfsd]
root      3887     1  0  2011 ?        00:00:00 [nfsd]
root      3888     1  0  2011 ?        00:00:00 [nfsd]
root      3889     1  0  2011 ?        00:00:00 [nfsd]
root      3890     1  0  2011 ?        00:00:00 [nfsd]

Yup!

So at the very least, you can confirm this way that 2049 is actually NFS.

I don't know what 2030 is.

Related

How much traffic per month would my site need? [closed]
OpenSSH - how to require PublicKeyAuthentication *and* login/password authentication
Read SMART status on Windows Server 2008 R2
SElinux on Debian Jessie missing default policy
android.apis.google.com DNS issue at EC2
Is there a way to have all virtual servers use the same SSL certificate without having multiple IPs?
Issuing client certificates to customers
HP ProLiant ML350 G6 Server
Rewrite to new URL and 301 the old page to the new URL
Install Windows Server 2003 R2 components using VL media on 2003 RTM server installed with OEM installation
Phrases similar to "pleased to meet you"
What does "turn off" mean here?