Unkown process listening at port 8080

The problem: something is listening on port 8080

• If I load the page with Safari I get a blank page (page is white but "Develop → Show Page Source" is greyed out)

• If I telnet to port 8080 I get something answering

  $ telnet 127.0.0.1 8080
  Trying 127.0.0.1...
  Connected to localhost (127.0.0.1).
  Escape character is '^]'.
  

But

• lsof does not show any process listening on port 8080

  $ sudo lsof -iTCP -sTCP:LISTEN -P -n | grep 8080
  $
  

• netstat does not show any process using port 8080

  $ netstat -n  | grep 8080
  $
  

• I can open port 8080 programmatically (e.g., with a web server) without any error about the port being in use

• nmap does not list the port as used

  sudo nmap 127.0.0.1
  
  Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-03 16:16 CEST
  Nmap scan report for localhost (127.0.0.1)
  Host is up (0.000081s latency).
  Not shown: 990 closed ports
  PORT      STATE SERVICE
  22/tcp    open  ssh
  631/tcp   open  ipp
  1023/tcp  open  netvenuechat
  3283/tcp  open  netassistant
  3306/tcp  open  mysql
  3689/tcp  open  rendezvous
  5001/tcp  open  commplex-link
  5003/tcp  open  filemaker
  5432/tcp  open  postgresql
  50003/tcp open  unknown
  
  Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds
  

The same happens for port 80 but not for other ports (e.g., 81 or 8081).

Question Which process is answering to this ports when no other process is opening them? Which is the purpose of this behavior?

Edit

• if I open the port with a program the port can then be used normally. Once the port is closed the strange behavior reappears. Example:

  • access to port 8080 deliver a connection to an unknown process
  • I open the port with tomcat
  • accesses to port 8080 goes to tomcat and everything is OK
  • I close the port (quit tomcat)
  • the port is listed as not used (see above)
  • access to port 8080 deliver a connection to an unknown process

• the firewall rules just show that the port is not blocked

  $ sudo ipfw show
  00001    926004   100891783 allow ip from me to any dst-port 80,8080,3128,5001,5003,443
  65535 125057043 94341114828 allow ip from any to any
  

Edit 2

• the listening program is not an HTTP server (i.e., does not react to a GET index.html HTTP/1.0 request

I noticed this very problem on my Macbook. I was trying to use port 8080 for some testing and I received the error that another process was already listening on it. My invocation of nmap returned different results depending on whether I was using sudo or not. This did not make sense to me.

I was really concerned when I could not figure out what was processes were listening on these ports using sudo lsof -P -n -iTCP | grep LIST. This led me to believe that there was malicious software intentionally hiding itself.

I ended up removing files from /Library/LaunchDaemons/ until I narrowed it down to the culprit. The application responsible for all these opened ports was the Cisco AnyConnect Secure Mobile Client. Unfortunately, in order for this Cisco VPN client to work, it must have all these ports opened. Apparently, it is also responsible for the firewall rule addition that you reported with ipfw show.

It still boggles my mind why it does not show which process is responsible for the open ports when using lsof. No application should be able to avoid being listed using this method. Perhaps the reason for the process not being listed will be answered in another stackexchange question.

I ran into this problem this morning, complained on Twitter, and was told that the problem has been fixed in recent versions of Any Connect. I upgraded to the new version, and I no longer have a mystery process binding to port 8080. So good so far.