Netstat
nmap 顯示奇怪的開放埠
在我的本地主機上執行 nmap 會顯示奇怪的開放埠:
$ nmap -p- localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00047s latency). All 65535 scanned ports on localhost (127.0.0.1) are closed Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds $ nmap -p- localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00046s latency). Not shown: 65533 closed ports PORT STATE SERVICE 36642/tcp open unknown 50826/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds $ nmap -p- localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00050s latency). Not shown: 65531 closed ports PORT STATE SERVICE 37700/tcp open unknown 46694/tcp open unknown 48334/tcp open unknown 53438/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds $ nmap -p- localhost Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET Nmap scan report for localhost (127.0.0.1) Host is up (0.00046s latency). All 65535 scanned ports on localhost (127.0.0.1) are closed Nmap done: 1 IP address (1 host up) scanned in 2.51 second
正如這個輸出所示,打開的埠似乎快速而隨機地變化。如果我以正確的方式解釋輸出,我無法通過 netstat 看到這些埠:
$ sudo netstat -tulpen Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 0 17081 809/dnsmasq udp 0 0 0.0.0.0:5449 0.0.0.0:* 0 30885 2855/dhclient udp 0 0 127.0.1.1:53 0.0.0.0:* 0 17080 809/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 0 30321 2855/dhclient udp 0 0 0.0.0.0:45170 0.0.0.0:* 107 15289 606/avahi-daemon: r udp 0 0 0.0.0.0:631 0.0.0.0:* 0 15931 636/cups-browsed udp 0 0 0.0.0.0:5353 0.0.0.0:* 107 15287 606/avahi-daemon: r udp6 0 0 :::34146 :::* 107 15290 606/avahi-daemon: r udp6 0 0 :::55654 :::* 0 30886 2855/dhclient udp6 0 0 :::5353 :::* 107 15288 606/avahi-daemon: r
我嘗試使用 lsof 調查這些埠,但沒有結果,我猜當 nmap 返回時,埠不再打開:
lsof -i :`nmap -p- localhost|grep '/tcp'|cut -d'/' -f1|head -n1`
我可以做些什麼來進一步調查這個問題?我需要擔心嗎?這是正常的嗎?我應該懷疑任何惡意程序正在執行嗎?
請注意,這個問答是不同的,因為我在本地機器上執行所有內容。
這是 Nmap 6.40 - 6.47 中的一個錯誤,我在 StackOverflow 上的答案中詳細討論過。自 6.49BETA 系列以來已修復此問題,因此升級到最新的 Nmap(撰寫本文時為 7.01)將解決該問題。