Listening on "mysterious" ports

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I just tried a port scan on one of my machines (Ubuntu desktop, but
working as a file server (Samba) inside my home LAN), and am
surprised and worried to see that it is listening on ports 48038 and

Rings a bell to anyone?  Any familiar rootkits / backdoors?

netstat -p -l | egrep "48038|50075" does not report a PID for port
48038 --- 50075 corresponds to rpc.statd, which I guess is related
to samba server?  (my question is:  why?) --- oh, here's the
exact output:

tcp        0      0 *:48038                 *:*
LISTEN     -
tcp        0      0 *:50075                 *:*
LISTEN     5622/rpc.statd

A Google search returns nothing about malware using these
ports.  Anyone?



Re: Listening on "mysterious" ports

Quoted text here. Click to load it

On my mandriva 2009.1 system, I have two ports which do not show
a program in netstat -tapn, and do not show up in
"lsof -n|grep -i tcp|grep $portnumber".

Process of elimination (checking after stopping each daemon) shows
that they belong to smb-server and lm-sensors.

My guess, is that the ports are opened by kernel modules, not
regular processes, so there is no program name associated with
them.  The one for lm-sensors is consistently tcp port 2049,
while the one for nfs-server changes each time the service is

This is normal.  It would be nice if it were easier to figure
out which service these ports are being used for, and what
they are being used to do, but if you can confirm which service
they are for, it cuts down the worrying, as you can always
check the code, to see what it's being used for.

Regards, Dave Hodgins

Change to to reply by email.
( has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Listening on "mysterious" ports

Carlos Moreno wrote:
Quoted text here. Click to load it

rpc.statd is nfs, not smb.

Chances are that 48038 is lockd, which is a kernel module and,
therefore, has no pid.

As root on that machine, try "rpcinfo -p" and see if that helps explain
things for you.

Finally, if you're not using nfs, you can always turn it off.  Ditto for
any other service you're running and not using.  smb is not built on
nfs.  It's totally independent.

Site Timeline