# What program are running at port 6969?

## kawsper

When i scan my server with nmap i get this:

```
kaw@mathilde kaw $ nmap -v 192.168.0.1      

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-30 18:18 GMT

Machine 192.168.0.1 MIGHT actually be listening on probe port 80

Initiating Connect() Scan against julie.debianlan (192.168.0.1) [1663 ports] at 18:18

Discovered open port 80/tcp on 192.168.0.1

Discovered open port 25/tcp on 192.168.0.1

Discovered open port 22/tcp on 192.168.0.1

Discovered open port 53/tcp on 192.168.0.1

Discovered open port 3128/tcp on 192.168.0.1

Discovered open port 1024/tcp on 192.168.0.1

The Connect() Scan took 2.57s to scan 1663 total ports.

Host julie.debianlan (192.168.0.1) appears to be up ... good.

Interesting ports on julie.debianlan (192.168.0.1):

(The 1654 ports scanned but not shown below are in state: closed)

PORT     STATE    SERVICE

22/tcp   open     ssh

25/tcp   open     smtp

53/tcp   open     domain

80/tcp   open     http

1024/tcp open     kdm

3128/tcp open     squid-http

6667/tcp filtered irc

6668/tcp filtered irc

6969/tcp filtered acmsoda
```

I can understand every port except for the 6969 acmsoda, i try to run netstat:

```
root@julie www # netstat -lp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 *:1024                  *:*                     LISTEN      7484/sshd           

tcp        0      0 *:4488                  *:*                     LISTEN      12254/psybnc        

tcp        0      0 localhost:mysql         *:*                     LISTEN      7418/mysqld         

tcp        0      0 localhost:783           *:*                     LISTEN      8928/local.cf       

tcp        0      0 *:www                   *:*                     LISTEN      7594/apache2        

tcp        0      0 *:domain                *:*                     LISTEN      7285/dnsmasq        

tcp        0      0 *:ssh                   *:*                     LISTEN      7484/sshd           

tcp        0      0 192.168.0.1:webcache    *:*                     LISTEN      8993/(squid)        

tcp        0      0 *:smtp                  *:*                     LISTEN      7572/tcpserver      

udp        0      0 *:1024                  *:*                                 7285/dnsmasq        

udp        0      0 *:1025                  *:*                                 8993/(squid)        

udp        0      0 *:domain                *:*                                 7285/dnsmasq        

udp        0      0 *:bootps                *:*                                 7285/dnsmasq        

udp        0      0 *:bootpc                *:*                                 7172/dhcpcd         

raw        0      0 *:icmp                  *:*                     7           7285/dnsmasq        

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     7428   7418/mysqld         /var/run/mysqld/mysqld.sock

unix  2      [ ACC ]     STREAM     LISTENING     7603   7609/apache2        /var/run/cgisock
```

Which program is actually using the port?

----------

## nephros

Try running "fuser -v 6969/tcp", that will tell you more.

fuser is part of the sys-process/psmisc package.

----------

## kawsper

When running fuser -v 6969/tcp it doesn't show a thing.

```
root@julie www # fuser -v 6969/tcp

root@julie www # fuser -v 6969/tcp
```

Any other suggestions?

----------

## nephros

Are you (or is someone behind that firewall) running a bittorrent tracker? They use that port too.

----------

## kawsper

I've now manually tested and unplugged every client on my network (There are 4 of them).

And is is only when a client nmaps the server it is visible, the server does not see the server. Very confusing.

----------

## Mit

the netstat doesn't show an IRCd (or anything else) running on 6667 and 6668 - is it possible your firewall is set to explicitly 'reject' those ports where all others are dropped?

----------

## ai

try amap - an application mapper  :Smile: 

----------

## wjholden

If you think someones busted into your box you might check out Nessus (emerge nessus).

----------

## Mit

http://isc.sans.org/port_details.php?port=6969 - Known things that run on taht port.

----------

## kawsper

I never found out which program that were using the port.

But thanks for the help, and the tip for nessus, it did not find the port but i got corrected some fatal errors in my home network.

----------

