9

I'm new to systems administration and have a server running a website with HTTP (at port 80), HTTPS (at port 443) and SSH (at port 22).

I'm running Ubuntu 11.04.

I did an Nmap port scan using my personal laptop and other than these 3 ports, port 1111 was open too. This was the output:

1111/tcp open tcpwrapped

I then did:

sudo netstat -lntp | grep -F 1111

...and got the following output:

tcp 0 0 0.0.0.0:1111 0.0.0.0:* LISTEN 21596/monit

Monit appears to be a monitoring tool in Ubuntu.

  • Should I be concerned about this?

  • How do I determine the purpose of port 1111?

  • How do I close it if I need to?

fixer1234
  • 27,064
  • 61
  • 75
  • 116
nknj
  • 193
  • 1
  • 1
  • 6

6 Answers6

5

According to this reference:

Because protocol TCP port 1111 was flagged as a virus (colored red) does not mean that a virus is using port 1111, but that a Trojan or Virus has used this port in the past to communicate.

So, it could be a virus/trojan.

I would recommend you to use Net Activity Viewer to determine what process/service is keeping this port on listening state:

enter image description here

After this, Google the process name to see if there are any viruses related to this process and to this port.

Finally, if you think it is a virus, just follow the instructions guided here.

Hashim Aziz
  • 11,898
  • 35
  • 98
  • 166
Diogo
  • 30,192
  • 65
  • 150
  • 222
  • I am on a linux machine. Is a `sudo netstat -lntp | fgrep 1111` equivalent of this? – nknj Jul 19 '12 at 14:52
  • @Nikunj Edited to Linux TCP View program. Probably netstat can't list prot related to processes. – Diogo Jul 19 '12 at 15:00
  • Thanks a lot @Diogo. Is there a CLI thing that helps me do this? I do not have a ubuntu gui install on my server – nknj Jul 19 '12 at 15:03
  • looks like iftop and iptraf are alternatives on the cmd line. – nknj Jul 19 '12 at 15:09
  • 1
    Try this guide: http://www.cyberciti.biz/faq/what-process-has-open-linux-port/ – Diogo Jul 19 '12 at 15:13
  • That guide is amazing. Will keep updating with findings. I am also contacting the hosting service to see if they are using it for anything. – nknj Jul 19 '12 at 15:19
  • I think the information quoted from the first reference is meaningless. With only 64k ports available total, I suspect that most if not all ports have been used by at least on virus regardless of if whoever is maintaining that list has seen one that does it. – Dan Is Fiddling By Firelight Jul 19 '12 at 18:16
  • Moved to comment from the OP, nknj: I finally ended on contacting my hosting service provider, rackspace, and they were using this service to monitor the systems health using a tool called monit. – fixer1234 Mar 21 '17 at 03:15
3

You can use lsof -i :1111 to find the process connected to port 1111.

dadinck
  • 196
  • 4
2

IANA's (Internet Assigned Numbers Authority) port description is:

1111 tcp,udp lmsocialserver LM Social Server

But its also known to be used by 

1111    tcp trojan  Daodan, Ultors Trojan   Trojans
1111    udp trojan  Daodan  Trojans
1111    tcp threat  W32.Suclove Bekkoame
1111    tcp,udp threat  AIMVision   Bekkoame

Trojans that use this port:
    Backdoor.AIMvision - remote access trojan, 10.2002. Affects all current Windows versions.
    Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234.
    Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows.
    W32.Suclove.A@mm (09.26.2005) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.

Sources:

http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

http://www.speedguide.net/port.php?port=1111

Rhyuk
  • 685
  • 5
  • 14
2

Check /etc/services

Generally, you can find standard service ports listed in /etc/services. However, on my system:

fgrep 1111 /etc/services

returns no information, so it's probably not a standard service.

Check netstat

You can see what programs are using a given port with netstat.

sudo netstat -lntp | fgrep 1111

You can then use that information to determine if it's a necessary system service for your environment.

Stopping Unnecessary Processes

Stopping system processes is somewhat platform-specific, but many Linux systems support a sudo service ssh stop or similar command, or you can call the startup script directly with sudo /etc/init.d/<service> stop. If it's not a system service, you can just call sudo kill <pid> to send SIGTERM to the process.

Note that stopping a service doesn't prevent it from running again, so you may also need to adjust your runlevel startup scripts in whatever way is appropriate for your specific platform.

CodeGnome
  • 2,071
  • 15
  • 21
  • Thanks for this. `fgrep 1111 /etc/service` gave no info. `sudo netstat -lntp | fgrep 1111` however gave this output: `tcp 0 0 0.0.0.0:1111 0.0.0.0:* LISTEN 21596/monit` – nknj Jul 19 '12 at 14:47
  • Use `grep -F` instead of `fgrep`. Quote from `man grep`: *Direct invocation […] is deprecated, but is provided to allow historical applications that rely on them to run unmodified.* – Marco Jul 19 '12 at 15:01
  • Thanks @Marco. This still gives the same output. Any idea whats going on? Is this a virus? – nknj Jul 19 '12 at 15:05
1

This speedguide.net page indicates that TCP port 1111 is used by an app called LikeMinds Socialserver, but it also says it's known to be used by several malware apps. Perhaps a full malware scan of your disk is in order.

Fran
  • 5,313
  • 24
  • 27
1

From aptitude show monit:

Description: utility for monitoring and managing daemons or similar programs
monit is a utility for monitoring and managing daemons or similar programs running on a 
Unix system. It will start specified
programs if they are not running and restart programs not responding.

If you don't plan to use it you should uninstall it or at least stop it and prevent automatic start with

/etc/init.d/monit stop
update-rc.d -f monit remove

Or you can learn to use it and configure it to your needs.

Daniele Santi
  • 2,244
  • 1
  • 22
  • 17