Why is port 1111 open, and is it safe to be?

I'm new to systems administration and have a server running a website with HTTP (at port 80), HTTPS (at port 443) and SSH (at port 22).

I'm running Ubuntu 11.04.

I did an Nmap port scan using my personal laptop and other than these 3 ports, port 1111 was open too. This was the output:

1111/tcp open tcpwrapped

I then did:

sudo netstat -lntp | grep -F 1111

...and got the following output:

tcp 0 0 0.0.0.0:1111 0.0.0.0:* LISTEN 21596/monit

Monit appears to be a monitoring tool in Ubuntu.

  • Should I be concerned about this?

  • How do I determine the purpose of port 1111?

  • How do I close it if I need to?

5

6 Answers

According to this reference:

Because protocol TCP port 1111 was flagged as a virus (colored red) does not mean that a virus is using port 1111, but that a Trojan or Virus has used this port in the past to communicate.

So, it could be a virus/trojan.

I would recommend you to use Net Activity Viewer to determine what process/service is keeping this port on listening state:

enter image description here

After this, Google the process name to see if there are any viruses related to this process and to this port.

Finally, if you think it is a virus, just follow the instructions guided here.

8

You can use lsof -i :1111 to find the process connected to port 1111.

IANA's (Internet Assigned Numbers Authority) port description is:

1111 tcp,udp lmsocialserver LM Social Server

But its also known to be used by

1111 tcp trojan Daodan, Ultors Trojan Trojans
1111 udp trojan Daodan Trojans
1111 tcp threat W32.Suclove Bekkoame
1111 tcp,udp threat AIMVision Bekkoame
Trojans that use this port: Backdoor.AIMvision - remote access trojan, 10.2002. Affects all current Windows versions. Backdoor.Ultor - remote access trojan, 06.2002. Affects Windows, listens on port 1111 or 1234. Backdoor.Daodan - VB6 remote access trojan, 07.2000. Affects Windows. W32.Suclove.A@mm (09.26.2005) - a mass-mailing worm with backdoor capabilities that spreads through MS Outlook and MIRC. Opens a backdoor and listens for remote commands on port 1111/tcp.

Sources:

0

Check /etc/services

Generally, you can find standard service ports listed in /etc/services. However, on my system:

fgrep 1111 /etc/services

returns no information, so it's probably not a standard service.

Check netstat

You can see what programs are using a given port with netstat.

sudo netstat -lntp | fgrep 1111

You can then use that information to determine if it's a necessary system service for your environment.

Stopping Unnecessary Processes

Stopping system processes is somewhat platform-specific, but many Linux systems support a sudo service ssh stop or similar command, or you can call the startup script directly with sudo /etc/init.d/<service> stop. If it's not a system service, you can just call sudo kill <pid> to send SIGTERM to the process.

Note that stopping a service doesn't prevent it from running again, so you may also need to adjust your runlevel startup scripts in whatever way is appropriate for your specific platform.

3

This speedguide.net page indicates that TCP port 1111 is used by an app called LikeMinds Socialserver, but it also says it's known to be used by several malware apps. Perhaps a full malware scan of your disk is in order.

0

From aptitude show monit:

Description: utility for monitoring and managing daemons or similar programs
monit is a utility for monitoring and managing daemons or similar programs running on a
Unix system. It will start specified
programs if they are not running and restart programs not responding.

If you don't plan to use it you should uninstall it or at least stop it and prevent automatic start with

/etc/init.d/monit stop
update-rc.d -f monit remove

Or you can learn to use it and configure it to your needs.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like