Every time you complete setting up a server, it is important to take note of the ports that are listening. If you find any unusual port listening, that could possibly mean an evidence of intrusion.
The following command can be used to determine the list of the ports that are listening on your (TCP) network:
nmap -sT -O localhost
The output of the command will look similar to this:
This output shows that the system is running portmap due to the presence of the sunrpc service. However, there is also a mystery service on port 834.
To check if the port is associated with the official list of known services, type:
cat /etc/services | grep 834
This command will return no output. This indicates that while the port is in the reserved range (meaning 0 through 1023) and requires root access to open, it is not associated with a known service.
Next, check the status of the port using netstat or lsof:
(For port 834)netstat -anp | grep 834
This will obtain an output similar to this:
tcp 0 0 0.0.0.0:834 0.0.0.0:* LISTEN 653/ypbind
The presence of the open port in netstat is reassuring because a cracker opening a port surreptitiously on a hacked system would likely not allow it to be revealed through this command. Also, the [p] option reveals the process id (PID) of the service which opened the port. In this case the open port belongs to ypbind (NIS), which is an RPC service handled in conjunction with the portmap service.
You can also use lsof:
lsof -i | grep 834
The following is the output of the lsof commad:
You can also check if a particular port is listening, using the ip tables:
For example, lets check the status of port 22 on an ip xxx.xx.xxx.xx:
iptables -nvL | grep 22