在我的本地主机上运行 nmap 显示了奇怪的开放端口:
$ nmap -p- localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00047s latency).
All 65535 scanned ports on localhost (127.0.0.1) are closed
Nmap done: 1 IP address (1 host up) scanned in 2.51 seconds
$ nmap -p- localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
36642/tcp open unknown
50826/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.55 seconds
$ nmap -p- localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00050s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
37700/tcp open unknown
46694/tcp open unknown
48334/tcp open unknown
53438/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 2.60 seconds
$ nmap -p- localhost
Starting Nmap 6.47 ( http://nmap.org ) at 2015-12-28 12:14 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00046s latency).
All 65535 scanned ports on localhost (127.0.0.1) are closed
Nmap done: 1 IP address (1 host up) scanned in 2.51 second
正如此输出所示,开放端口似乎变化很快且随机。如果我以正确的方式解释输出,我无法通过 netstat 看到这些端口:
$ sudo netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 0 17081 809/dnsmasq
udp 0 0 0.0.0.0:5449 0.0.0.0:* 0 30885 2855/dhclient
udp 0 0 127.0.1.1:53 0.0.0.0:* 0 17080 809/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 0 30321 2855/dhclient
udp 0 0 0.0.0.0:45170 0.0.0.0:* 107 15289 606/avahi-daemon: r
udp 0 0 0.0.0.0:631 0.0.0.0:* 0 15931 636/cups-browsed
udp 0 0 0.0.0.0:5353 0.0.0.0:* 107 15287 606/avahi-daemon: r
udp6 0 0 :::34146 :::* 107 15290 606/avahi-daemon: r
udp6 0 0 :::55654 :::* 0 30886 2855/dhclient
udp6 0 0 :::5353 :::* 107 15288 606/avahi-daemon: r
我尝试使用 lsof 来调查这些端口,但是没有结果,我猜当 nmap 返回时,该端口不再开放:
lsof -i :`nmap -p- localhost|grep '/tcp'|cut -d'/' -f1|head -n1`
我可以做些什么来进一步调查这个问题?我有必要担心吗?这是正常的吗?我是否应该怀疑有恶意进程正在运行?
请注意问答有所不同,因为我在本地机器上运行所有东西。
答案1
这是 Nmap 6.40 - 6.47 中的一个错误,我详细讨论过StackOverflow 上的一个答案。自 6.49BETA 系列以来,该问题已得到修复,因此升级到最新的 Nmap(撰写本文时版本为 7.01)将解决该问题。