# Something listens on port 52000

## md5xxx1

I discovered that something listens on port 52000 and receives a lot of TCP packets from different IP addresses. It replies to these packets with short TCP packets. `netstat -p -a` doesn't display any process on this port. This process starts immediately after computer reboot. What is this? Is this trojan or something like that? What can I do with it?

----------

## gentoo_ram

Did you do the netstat command as root?  That makes a difference when using the '-p' flag.  Also, you could try 'lsof'.  That will show network sockets as well.  Again, you need to be root to run this command effectively.

----------

## poly_poly-man

 *md5xxx1 wrote:*   

> I discovered that something listens on port 52000 and receives a lot of TCP packets from different IP addresses. It replies to these packets with short TCP packets. `netstat -p -a` doesn't display any process on this port. This process starts immediately after computer reboot. What is this? Is this trojan or something like that? What can I do with it?

 bittorrent? any servers?

give an rc-update, and give up the output.

----------

## md5xxx1

 *Quote:*   

> Did you do the netstat command as root?

 

yes

 *Quote:*   

> bittorrent? any servers? 

 

apache, mysql (listens only on localhost), named

Also, I tried to run `telnet localhost 52000`. This outputs `Connection refused` however in the tcpdump -ilo I see that TCP packet was sent in response to request. Is this normal? I thought that in this case only ICMP packet should be sent in response.

Also, I have strange apache2 logs:

82.79.76.20 - - [18/Feb/2009:19:06:36 +0300] "GET http://www.yahoo.com/ HTTP/1.1" 200 44

Why is the HTTP status 200? This should be 404. I tried to enter http://address/http://www.yahoo.com/ in the web browser but this prints 404 for me but not for remote host displayed in the log.

----------

## poly_poly-man

telnet yourhost 80

GET http://www.yahoo.com/ HTTP/1.1

(hit enter twice after that command)

----------

## krinn

and netstat -lep still don't see it ?

avahi, nfs per example are common programs you may forget. (rpcinfo -p localhost)

----------

## Malvineous

Try "telnet <yourip> 52000" as well - when you use "localhost" it goes through the "lo" network interface (which could have the port blocked by iptables) but when you telnet to your network card's IP then the connection comes in on that interface instead (e.g. for me 192.168.0.1 connects through eth0.)  It's possible to block a port on one interface but not another.

As to the HTTP200 in your logs, you probably have your webserver configured with a default virtual host, so that any requests coming in for unknown hosts will see the 'default' page.  To test this, you can add an entry for www.yahoo.com into /etc/hosts with 127.0.0.1, then visit the web address in your browser.  This will send a request for Yahoo to your local PC, and you can see in your browser what the HTTP200 response actually contains.

I think a 'connection refused' returns a TCP RST packet, so seeing a TCP response to that is fine.

If no programs are showing up as listening on port 52000, how do you know there is something listening on that port???  When you say your PC replies with "short TCP packets", are these the same RST packets you get when you telnet and get "Connection refused"?  If so, all it means is there is nothing listening on that port, and your PC keeps sending 'connection refused' messages to anyone who tries to connect.  If you're really worried about it, set up your firewall as per the recommended method so it drops all packets for closed ports (instead of replying with 'connection refused'.)

----------

## Hu

 *Malvineous wrote:*   

> Try "telnet <yourip> 52000" as well - when you use "localhost" it goes through the "lo" network interface (which could have the port blocked by iptables) but when you telnet to your network card's IP then the connection comes in on that interface instead (e.g. for me 192.168.0.1 connects through eth0.)

 

Not quite.  Connections to the local machine always have an interface of lo, even when you use one of the real IP addresses.  To test this, tcpdump -i lo -n tcp port 52000 and then use socat to connect to 52000 on any of your machine's IP addresses.  Repeat with tcpdump monitoring eth0 and connect to your eth0 IP address.  You should always see the connection in the first case and never in the second case.

You are correct that entering localhost will typically resolve to 127.0.0.1, and that could make a difference in the results observed.

----------

## Malvineous

Oh you're right, it still goes through localhost, I wonder how I reached that conclusion...?  Maybe I was using iptables with destination addresses instead of interfaces...

----------

## md5xxx1

Regarding apache logs, when I run telnet localhost 80, GET http://yahoo.com/ HTTP/1.1 it displays status 400 Bad Request. But the status was 200 for remote host as displayed in the log. Why?

----------

## Tekeli Li

Sounds to me you have an open proxy there. Also, as Malvineous already asked, how did you discover port 52000 open?

----------

## Malvineous

 *md5xxx1 wrote:*   

> when I run telnet localhost 80, GET http://yahoo.com/ HTTP/1.1 it displays status 400 Bad Request. But the status was 200 for remote host as displayed in the log. Why?

 

Because you're sending an invalid request.  HTTP 1.1 requires a Host header.  You'll have to try one of these instead:

```
GET http://www.yahoo.com HTTP/1.1

Host: www.yahoo.com
```

or

```
GET http://www.yahoo.com HTTP/1.0
```

HTTP 1.0 doesn't support virtual hosts, so you don't need the Host header.

----------

## Hu

Although telnet is fine in this case, if you are going to keep running this, you may find it more convenient to have a stored command like echo -e 'GET / HTTP/1.0\nHost: foo\n' | socat - tcp4:IP:port.  Then, you can recall the command, making minor adjustments as needed, each time, instead of needing to repeatedly retype the request.  Vary the text within the echo to suit your needs.  Remove the pipe to socat if you want to print it to your terminal for comparison with other commands suggested here.

----------

