raw socket on port 255
William Spires
When I do "netstat -an", I get the following:
linux:/var/run # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:23 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:*
LISTEN
tcp 0 81 192.168.1.2:23 192.168.1.1:1048
ESTABLISHED
raw 0 0 0.0.0.0:255 0.0.0.0:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 2329
/tmp/.X11-unix/X0
unix 5 [ ] DGRAM 928 /dev/log
unix 2 [ ACC ] STREAM LISTENING 2019
/var/run/.nscd_socket
unix 2 [ ] STREAM 7496
/var/state/backhand/bchild-00987
unix 3 [ ] STREAM CONNECTED 7512
/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 7511
unix 3 [ ] STREAM CONNECTED 2778
/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2777
unix 7 [ ] STREAM CONNECTED 2770
/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 2331
unix 2 [ ] DGRAM 1803
unix 2 [ ] DGRAM 1376
unix 2 [ ] DGRAM 1103
The line that I'm curious about is this one:
raw 0 0 0.0.0.0:255 0.0.0.0:* 7
I first noticed this line in netstat after stopping some services.
Since this box isn't in production, I rebooted and it's still there. I
also checked out /proc/net/raw and got the following (not sure if it
helps):
linux:/var/run # more /proc/net/raw
sl local_address rem_address st tx_queue rx_queue tr tm->when
retrnsmt uid timeout inode
31: 00000000:00FF 00000000:0000 07 00000000:00000000 00:00000000
00000000 0 0 1431 2 c6d8a0a0
I'm running SuSE linux 7.1. Does anyone know what could be causing
this? Why would a raw socket be opened on port 255? What is state 7
that the socket is in?
Just curious about this output. Any help would be greatly appreciated.
Thanks,
William
Nate Eldredge
> Hi, everyone. This is my first post and I'm trying to figure this out.
> When I do "netstat -an", I get the following:
>
>
> linux:/var/run # netstat -an
...
> raw 0 0 0.0.0.0:255 0.0.0.0:* 7
I don't know offhand what it is. However, you could give netstat the
-p option, and it will tell you which process has this mysterious
socket open. That might be a clue.
--
Nate Eldredge
neld...@hmc.edu
Jefferson Ogata
[snip]
> I'm running SuSE linux 7.1. Does anyone know what could be causing
> this? Why would a raw socket be opened on port 255? What is state 7
> that the socket is in?
> Just curious about this output. Any help would be greatly appreciated.
> Thanks,
> William
Raw sockets do not have port numbers by definition. 255 is the protocol number.
This value represents a reserved protocol.
My first guess would be that it's a backdoor, sniffer, or DDoS agent installed
by an intruder, although it would be unusual for such a program to use such a
bizarre protocol number. All the same, check /etc/inittab and all the startup
scripts for recent modifications, and do some careful poking around. I
recommend reading up on forensics before you do any serious hunting;
especially, do not run any find commands until you know what to look for and
how. Dave Dittrich has some good info and links on these matters on his web
site. Also look for chkrootkit.
And follow Nate's advice on using the -p option. Maybe you are running some
unusual proprietary software that uses this raw socket. What kernel are you
running?
Oh, and ignore anyone who says that your question is off-topic. You may want to
hit up some Linux groups as well, but obviously there are folks here who are
willing to help.
--
Jefferson Ogata : Internetworker, Antibozo
<og...@antibozo-u-spam-u-die.net> http://www.antibozo.net/ogata/
whois: jo...@whois.networksolutions.com
http://www.antibozo.net/ogata/pgp.asc
William Spires
Thanks, Nate. I tried the -p option. Seems like it was syslogd running.
-William
William Spires
> William Spires wrote:
> [snip]
> > I'm running SuSE linux 7.1. Does anyone know what could be causing
> > this? Why would a raw socket be opened on port 255? What is state 7
> > that the socket is in?
> > Just curious about this output. Any help would be greatly appreciated.
> > Thanks,
> > William
>
> Raw sockets do not have port numbers by definition. 255 is the protocol number.
> This value represents a reserved protocol.
>
> My first guess would be that it's a backdoor, sniffer, or DDoS agent installed
> by an intruder, although it would be unusual for such a program to use such a
> bizarre protocol number. All the same, check /etc/inittab and all the startup
> scripts for recent modifications, and do some careful poking around. I
> recommend reading up on forensics before you do any serious hunting;
> especially, do not run any find commands until you know what to look for and
> how. Dave Dittrich has some good info and links on these matters on his web
> site. Also look for chkrootkit.
>
> And follow Nate's advice on using the -p option. Maybe you are running some
> unusual proprietary software that uses this raw socket. What kernel are you
> running?
>
> Oh, and ignore anyone who says that your question is off-topic. You may want to
> hit up some Linux groups as well, but obviously there are folks here who are
> willing to help.
Hi. Jefferson. Thanks for the info on raw sockets. After doing netstat
with the -p option, I saw that the raw socket was being caused by
scanlogd. I believe it was installed during my initial install of SuSE
7.1. But to verify its use of raw sockets, I installed scanlogd on
another linux box I have and it had the same raw socket behavior when
complied with the "make linux" option. I believe it does this instead
of relying upon a third party IP networking library such as libpcap
when this option is used. I'm not enitrely certain about that though.
I'm using kernel version 2.4.0-4 on that box. Thanks for the
information.
-William