i run nmap on localhost on a nightly basis and compare the results (which are emailed to me) against the previous night’s. this way, i can tell if something happened at a certain time if a new port mysteriously opens itself.
today, i encountered an open port on 6010. i investigated who was using them by running the following useful commands, which i am posting here for reference:
# /usr/sbin/lsof -i TCP:6010
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 21176 user 9u IPv4 13084094 TCP localhost:x11-ssh-offset (LISTEN)
guess he was using X11, which opens an additional port.
i further broke this down by looking into the following:
# /sbin/fuser -name tcp 6010
here: 6010
6010/tcp: 24345
this indicated that process ID (pid) 24345 was doing something funny.
so i looked into the pid:
# /usr/sbin/lsof -p 24345
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 24345 user cwd DIR 8,5 4096 2 /
sshd 24345 user rtd DIR 8,5 4096 2 /
sshd 24345 user txt REG 8,5 309200 20922628 /usr/sbin/sshd
sshd 24345 user mem REG 8,5 941024 23234362 /lib/libcrypto.so.0.9.7a
sshd 24345 user mem REG 8,5 14542 23234382 /lib/libutil-2.3.4.so
sshd 24345 user mem REG 8,5 63624 3069543 /usr/lib/libz.so.1.2.1.2
sshd 24345 user mem REG 8,5 56328 23232671 /lib/libselinux.so.1
[snip]
point being: i now knew the source of the open port, and it was harmless.
on the other hand, if it was something to wonder about, i’d have killed the process using kill -9 24345 and have figured out the entry point to the server in order to better secure it.