topic Re: unknown port 8081 in Operating System - Linux

unknown port 8081

tuhintt — Sat, 07 May 2005 02:09:32 GMT

recently i found in my linux box there is a unknown port is running on listen mode and so many host conneted to it. the port is 8081. so to solve the problem i stop all my service except dns(bind). but still this 8082 port is running include 80,443. but i stop my http. what is wrong? pls Help.

Re: unknown port 8081

Ermin Borovac — Sat, 07 May 2005 02:44:33 GMT

You can find out PID and program name of the program listening on the port 8081 with (must run this as root to use -p option)

# netstat -nlp | grep :8081

In the example below you can see PID 3283 (sshd) is listening on port 22.

# netstat -nlp | grep :22
tcp 0 0 :::22 :::* LISTEN 3283/sshd

Re: unknown port 8081

renarios — Sat, 07 May 2005 05:37:21 GMT

I just ran into another forum (http://mail.zope.org/pipermail/zope/2002-December/127421.html) where they speak about a zope server using port 8021 for ftp.

You might take a glance at it.

Cheerio,

Renarios

Re: unknown port 8081

Andrew Cowan — Sun, 08 May 2005 06:54:41 GMT

Hi Tuhintt,

Try running "lsof -i" t osee which program is using this port.

Re: unknown port 8081

Gopi Sekar — Mon, 09 May 2005 01:28:52 GMT

from /etc/services the 8081 port is generally used by Transparent proxy service. if you are running some proxy servers on your system then they might be using this port.

but thats not the case always as any program can bind to this port and listen for connections.

do check 'netstat -atp | grep 8081' to find out process name. ofcourse you have to be root to do this.

Hope this helps,
Gopi

Re: unknown port 8081

Bejoy C Alias — Mon, 09 May 2005 07:53:08 GMT

The 8081 port is used for transparent proxying. But it is not always true that this port is used by only ur normal web server running on port 80 . If u had Trend Micro Suites ( IMSS , IWSS ) installed , then the program which uses this port is nothing other than this. Try to find out the process which is using this port using
netstat -anp |grep 8081 ,
then traceout the processes which is using the port by
ps -ef |grep ,
In netstat it will only show "httpd" , to traceout which httpd ( not the normal httpd server ) is using this port the ps command will help .

Re: unknown port 8081

tuhintt — Mon, 09 May 2005 23:02:31 GMT

Thank to all, but I check and I find out some unknown user using this port from outside. First they connect to port 80 and then get out through 8081. And I figure out they r using my server for spamming to outside.
So I stop my http(Apache) completely.

I don't know how they did it, and that's I want to know because I don't want them to do this to my server again.

Re: unknown port 8081

Gopi Sekar — Tue, 10 May 2005 00:38:04 GMT

looks like security breach. first get your server out of network, they might have put in some other backdoor to login even if you stop httpd process.

best would be to reinstall the entire OS with newer version which contains security fixes, because they might have installed some sort of rootkit to modify application to suite their needs.

Re: unknown port 8081

Stuart Browne — Tue, 10 May 2005 01:05:34 GMT

Yes.. At the very least you need to make sure your server is up-to-date with security updates.

If it's a RH or Fedora box, there are regular security releases. If it's so old that it's gone to legacy, then you need to upgrade the distribution so something that is actively maintained.

Suse and Debian distributions also have regular updates, as do all major distributions.

Second thing is firewall. Make sure only those services of which you want publically accessable, are publically accessable. For instance, if you aren't using 'https://', either make sure 'mod_ssl' isn't enabled in your apache config, or make sure it's firewalled out.

Also check what other services are running on your machine (netstat -nutlp) and figure out which are or are not supposed to be available to the world.