Unkown process listening at port 8080
The problem: something is listening on port 8080
- If I load the page with Safari I get a blank page (page is white but "Develop → Show Page Source" is greyed out)
-
If I telnet to port 8080 I get something answering
$ telnet 127.0.0.1 8080 Trying 127.0.0.1... Connected to localhost (127.0.0.1). Escape character is '^]'.
But
-
lsof
does not show any process listening on port 8080$ sudo lsof -iTCP -sTCP:LISTEN -P -n | grep 8080 $
-
netstat
does not show any process using port 8080$ netstat -n | grep 8080 $
I can open port 8080 programmatically (e.g., with a web server) without any error about the port being in use
-
nmap
does not list the port as usedsudo nmap 127.0.0.1 Starting Nmap 6.01 ( http://nmap.org ) at 2012-10-03 16:16 CEST Nmap scan report for localhost (127.0.0.1) Host is up (0.000081s latency). Not shown: 990 closed ports PORT STATE SERVICE 22/tcp open ssh 631/tcp open ipp 1023/tcp open netvenuechat 3283/tcp open netassistant 3306/tcp open mysql 3689/tcp open rendezvous 5001/tcp open commplex-link 5003/tcp open filemaker 5432/tcp open postgresql 50003/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 10.92 seconds
The same happens for port 80 but not for other ports (e.g., 81 or 8081).
Question Which process is answering to this ports when no other process is opening them? Which is the purpose of this behavior?
Edit
-
if I open the port with a program the port can then be used normally. Once the port is closed the strange behavior reappears. Example:
- access to port 8080 deliver a connection to an unknown process
- I open the port with tomcat
- accesses to port 8080 goes to tomcat and everything is OK
- I close the port (quit tomcat)
- the port is listed as not used (see above)
- access to port 8080 deliver a connection to an unknown process
-
the firewall rules just show that the port is not blocked
$ sudo ipfw show 00001 926004 100891783 allow ip from me to any dst-port 80,8080,3128,5001,5003,443 65535 125057043 94341114828 allow ip from any to any
Edit 2
- the listening program is not an HTTP server (i.e., does not react to a
GET index.html HTTP/1.0
request
I noticed this very problem on my Macbook. I was trying to use port 8080 for some testing and I received the error that another process was already listening on it. My invocation of nmap
returned different results depending on whether I was using sudo
or not. This did not make sense to me.
I was really concerned when I could not figure out what was processes were listening on these ports using sudo lsof -P -n -iTCP | grep LIST
. This led me to believe that there was malicious software intentionally hiding itself.
I ended up removing files from /Library/LaunchDaemons/
until I narrowed it down to the culprit. The application responsible for all these opened ports was the Cisco AnyConnect Secure Mobile Client. Unfortunately, in order for this Cisco VPN client to work, it must have all these ports opened. Apparently, it is also responsible for the firewall rule addition that you reported with ipfw show
.
It still boggles my mind why it does not show which process is responsible for the open ports when using lsof
. No application should be able to avoid being listed using this method. Perhaps the reason for the process not being listed will be answered in another stackexchange question.
I ran into this problem this morning, complained on Twitter, and was told that the problem has been fixed in recent versions of Any Connect. I upgraded to the new version, and I no longer have a mystery process binding to port 8080. So good so far.