# Port 623/tcp open  unknown

## _vedanta_

I am worried  :Confused:  , what's using port 623... any clues,

thanks

```

foo ~ # nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-07-26 17:36 GMT

Interesting ports on localhost (127.0.0.1):

(The 1660 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE

22/tcp  open  ssh

111/tcp open  rpcbind

623/tcp open  unknown

Nmap finished: 1 IP address (1 host up) scanned in 0.233 seconds

foo ~ # rc-update -s

           alsasound | boot

                apmd |

            bootmisc | boot

             checkfs | boot

           checkroot | boot

               clock | boot

            coldplug |      default

         consolefont | boot

         crypto-loop |

               cupsd |

                dbus |

          domainname |      default

              dotnet |

              esound |

                famd |      default

                 gpm |      default

                hald |      default

              hdparm |

            hostname | boot

             hotplug |

              jabber |

             keymaps | boot

               local |      default nonetwork

          localmount | boot

             modules | boot

            net.eth0 |      default

              net.lo | boot

            netmount |      default

                nscd |

             numlock |

             portmap |

             proftpd |

           rmnologin | boot

              rsyncd |

              serial | boot

               slapd |

              slurpd |

               spamd |

              splash | boot default

                sshd |      default

           syslog-ng |      default

             urandom | boot

          vixie-cron |      default

                 xdm |      default

foo ~ #

```

----------

## ikaro

looks like:

```

 623 TCP    asf-rmcp    ASF Remote Management and Control Protocol    Rtb666 

```

----------

## Nuteater

You can check which app is listening on that port with

```
lsof -i | grep LISTEN
```

(if you don't have lsof, you'll have to emerge lsof first).

The RTB666 mentioned in ikaro's note is a trojan, but it is a windows-only trojan 

(see http://www.simovits.com/trojans/tr_data/y2858.html), so

dunno about that  :Wink: .

----------

## smurfd

```
netstat -tulp
```

 is pretty useful aswell!!

----------

## magic919

I'll second that and advance to 

```
netstat -tunlp
```

 to get listening ports as numbers.

----------

## _vedanta_

here is the output

```

foo ~ # lsof -i | grep LISTEN

sshd       6323    root    3u  IPv4  917252       TCP *:ssh (LISTEN)

portmap    9325     rpc    4u  IPv4   16000       TCP *:sunrpc (LISTEN)

famd       9351 vedanta    3u  IPv4   16028       TCP localhost:623 (LISTEN)

mysqld    18203   mysql    3u  IPv4 1047091       TCP localhost:mysql (LISTEN)

mysqld    18204   mysql    3u  IPv4 1047091       TCP localhost:mysql (LISTEN)

mysqld    18205   mysql    3u  IPv4 1047091       TCP localhost:mysql (LISTEN)

mysqld    18206   mysql    3u  IPv4 1047091       TCP localhost:mysql (LISTEN)

foo ~ #

```

...

```

foo ~ # netstat -tunlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      18203/mysqld

tcp        0      0 127.0.0.1:623           0.0.0.0:*               LISTEN      9351/famd

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      9325/portmap

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6323/sshd

udp        0      0 0.0.0.0:111             0.0.0.0:*                           9325/portmap

foo ~ #

```

```

vedanta ~ $ netstat -ap

(Not all processes could be identified, non-owned process info

 will not be shown, you would have to be root to see it all.)

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 localhost:mysql         *:*                     LISTEN      -

tcp        0      0 localhost:623           *:*                     LISTEN      -

tcp        0      0 *:sunrpc                *:*                     LISTEN      -

tcp        0      0 *:ssh                   *:*                     LISTEN      -

```

----------

## magic919

famd it is then.

----------

## _vedanta_

yeah! ... i use gnome which requires famd  :Smile: 

but can nmap show a more comprehensive output

----------

## Nuteater

Yes, it's just the File Alteration Monitor Daemon (app-admin/fam),

and it's only listening for connections coming from the local host,

so nothing to fear.  :Wink: 

Better to nmap your machine from somewhere else to get a better

picture, and weed out false positives such as this.

----------

## _vedanta_

 *Quote:*   

> Yes, it's just the File Alteration Monitor Daemon (app-admin/fam), 
> 
> and it's only listening for connections coming from the local host, 
> 
> so nothing to fear. 

 

... i had done an nmap with the eth0 ip and the port did not show up. 

Can we do some thing so that nmap at localhost reports it ?

Also does famd select random ports, coz in another system its running on a different port?

----------

## Nuteater

 *_vedanta_ wrote:*   

> i had done an nmap with the eth0 ip and the port did not show up. 
> 
> Can we do some thing so that nmap at localhost reports it ?
> 
> 

 

I don't think I understand what you mean... 

For testing your system with nmap, it's better to put yourself in 

the position of the attacker -- run nmap from an outside ip, so 

that you can see what information could an outside attacker get 

with nmap. Nmap has loads of options for more sophisticated

tests and more verbose output, so you should see man nmap.

 *_vedanta_ wrote:*   

> Also does famd select random ports, coz in another system its running on a different port?

 

My guess is that famd's port is configurable (I don't use it myself).

----------

## _vedanta_

 *_vedanta_ wrote:*   

> i had done an nmap with the eth0 ip and the port did not show up. 
> 
> 

 

... problem fixed  :Smile: 

i wanted to know where does nmap pick up the [port == service_name] from, is it /etc/service? if we fix it there maybe nmap will report comprehensible output for famd when it is run on localhost (just curious)

----------

## Nuteater

 *_vedanta_ wrote:*   

> i wanted to know where does nmap pick up the [port == service_name] from, is it /etc/service?

 

Probably yes, but still identifying an application based on the port it is listening on is not more

than a lucky guess.  :Smile:  Nmap can also identify applications and app versions by connecting to

the application and checking it's output (if there is any). It is good security practice to run apps

such as sshd on non-standard ports. And you are better off using lsof or netstat if you are checking

for open ports on the same machine, as they can give you more information.

----------

## _vedanta_

 :Very Happy:  cool .... I agree

----------

## Mgiese

nmap localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-08-01 03:42 CEST

Interesting ports on localhost (127.0.0.1):

(The 1661 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE

53/tcp  open  domain

631/tcp open  ipp

does anyone have  an idea ? i dont know what service 631 coult be ...  :Sad: 

----------

## gyratedotorg

ipp is the internet printing protocol.  i believe the cups printer daemon uses this.

----------

## Nuteater

 *Mgiese wrote:*   

> does anyone have  an idea ? i dont know what service 631 coult be ... 

 

See the posts above on how to check which application is listening on which port.

Nmap is for checking your ports remotely, lsof -i and netstat are for checking them locally.

----------

## Mgiese

 *Nuteater wrote:*   

>  *Mgiese wrote:*   does anyone have  an idea ? i dont know what service 631 coult be ...  
> 
> See the posts above on how to check which application is listening on which port.
> 
> Nmap is for checking your ports remotely, lsof -i and netstat are for checking them locally.

 

thx so far but  "lsof -i" doesnt work --> -bash: lsof: command not found

and netstat i just dont know what parameters i have to use to get know which application is using port 631 ... THX in advance

----------

## Nuteater

You could have found out all this by reading the posts above, but here goes:

 *Mgiese wrote:*   

> thx so far but  "lsof -i" doesnt work --> -bash: lsof: command not found

 

As I said, if you don't have lsof, you'll have to emerge lsof first.

 *Mgiese wrote:*   

> and netstat i just dont know what parameters i have to use to get know which application is using port 631

 

As magic919 and smurfd pointed out, you could try netstat with e.g.

```
netstat -tunlp
```

----------

## Mgiese

sometimes i am just a jerke whos unable to read stuff just 3 posts above ..  :Sad: 

tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      9367/cupsd

udp        0      0 0.0.0.0:631             0.0.0.0:*                           9367/cupsd

thx for patience and understanding!

----------

## Mgiese

netstat -a

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 *:ipp                   *:*                     LISTEN

tcp        0      0 localhost:35322         localhost:32768         ESTABLISHED

tcp        0      0 localhost:32768         localhost:35322         ESTABLISHED

udp        0      0 *:bootps                *:*

udp        0      0 *:bootpc                *:*

udp        0      0 *:ipp                   *:*

raw        0      0 *:icmp                  *:*                     7

what ipp means i now can imagine... but why do i have an icmp raw socket ?

and why do i have those strange 35322 to 32768 connections for my localhost ?

thx in advance ...

EDIT :

tcp        0      0 localhost:35322         localhost:32768         ESTABLISHED 9708/wine

tcp        0      0 localhost:32768         localhost:35322         ESTABLISHED 9708/wine

why ?? what did i wrong was it to use windows software ??  :Smile:  seams to be STEAM ... but the task refuses to quit ...

ps -aux

userwhy      9712  0.0  0.3   7012  1700 ?        T    21:51   0:00 /usr/lib/transgaming_cedega//winex/bin/wineserver

even more then 2 times "kill 9712" dont works

i also saw that the raw socket is for dhcpd , but why is dhcpd using ICMP ???

----------

## revertex

 *Nuteater wrote:*   

> 
> 
> Nmap is for checking your ports remotely, lsof -i and netstat are for checking them locally.

 

"man nmap" can help you to get the same results as netstat and lsof for checking your ports locally.

nmap is not so easy to use as lsof, but on the other hand is much more powerfull.

----------

## Nuteater

 *revertex wrote:*   

> "man nmap" can help you to get the same results as netstat and lsof for checking your ports locally.
> 
> the only difference is nmap is a tool waaaay advanced.

 

AFAIK, nmap cannot outright tell which application is listening on which port - it can perform only an educated guess.

I say it once more: nmap is a great tool for remote network exploration, but in this case ("I have port XXX open in my

local machine and don't know what's listening on it."), there are tools better suited for the purpose.

----------

## revertex

```
nmap -PR -T4 -A localhost

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2005-09-20 22:35 BRT

Interesting ports on fakehost.fakedomain.net (127.0.0.1):

(The 1663 ports scanned but not shown below are in state: closed)

PORT    STATE SERVICE     VERSION

22/tcp  open  ssh         OpenSSH 4.1 (protocol 2.0) 

25/tcp  open  smtp        Postfix smtpd

80/tcp  open  http        thttpd 2.25b 29dec2003

139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: FAKEGROUP)

445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: FAKEGROUP)

Device type: general purpose

Running: Linux 2.4.X|2.5.X|2.6.X

OS details: Linux 2.5.25 - 2.6.8 or Gentoo 1.2 Linux 2.4.19 rc1-rc7

Uptime 0.208 days (since Tue Sep 20 17:35:46 2005)

Service Info: Host:  fakehost.net

Nmap finished: 1 IP address (1 host up) scanned in 20.452 seconds

```

 :Shocked:   :Shocked:   :Shocked:   :Shocked:   :Shocked:   :Shocked:  educated guess???   :Shocked:   :Shocked:   :Shocked:   :Shocked:   :Shocked:   :Shocked: 

(a note to all scipt kiddies around: i'm behind a router/firewall, these ports are not accessible from outside)

----------

## Nuteater

Okay, granted that nmap is very educated in it's guessing  :Wink: . Nevertheless, nmap in no

way uses the privileges you have on that machine. If you have root access to the machine you are

planning to study, why employ sophisticated super-bogolevel 5 AI fingerprint algorithms to find out 

which app is listening, when you can just use your privileges and look?

----------

## revertex

LoL! don't be so serious, i'm just kidding!  :Very Happy: 

I know nmap isn't suited to this kind of thing, i totally agree it's plain stupid use a very complex tool that need root privileges if you can do in a simpler manner.

----------

