Results 1 to 4 of 4

Thread: Network Security - Open TCP Port 53213 Question

  1. #1
    Junior Member
    Join Date
    Sep 2017
    Posts
    3

    Network Security - Open TCP Port 53213 Question

    Hello,

    When I used the Port Scanner in Network Utility, I noticed there were 3 open TCP ports: Port 1110, which had nfs-status as its usage, Port 1538, which linked to 3ds-lm, and Port 53213 which didn't have any identified usage listed, which I found to be suspicious.

    When I used the netstat -a command in terminal, I saw the following as it related to Port 53213:

    Proto Recv-Q Send-Q Local Address Foreign Address (state)

    tcp4 0 0 localhost.53213 localhost.57089 CLOSE_WAIT
    tcp4 0 0 localhost.57089 localhost.53213 FIN_WAIT_2

    and:

    tcp4 0 0 localhost.53213 localhost.49875 ESTABLISHED
    tcp4 0 0 localhost.49875 localhost.53213 ESTABLISHED
    tcp4 0 0 localhost.53213 *.* LISTEN

    When I googled Port 53213, I noticed it was associated with a something called Xsan Filesystem Access. I read Xsan may be associated with vulnerabilities. Specifically, I read:

    The Problem
    There is a buffer overflow vulnerability in the Xsan filesystem driver that may affect systems directly attached to Xsan. An authenticated user with write access to the filesystem may exploit this vulnerability by creating a file with a specially crafted path name.
    Impact
    A local, authenticated attacker may be able to execute arbitrary code with system privileges, or create a denial-of-service condition.

    Does anyone know what these ports are generally associated with? Does anything seem suspicious? What does the foreign address *-* that the open Port 53213 is communicating with mean?

    Thank you for your help

  2. #2
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    9,617
    Blog Entries
    6
    Hello,

    There are a number of apps that just use random ports in the "dynamic" range of ports 49152-65535.

    So, you have some app listening to port 53213. Yes, if you are on Apple this could be Xsan, but it could be a number of other things as well, check port 49152 for possibilities for the dynamic range of ports: https://www.speedguide.net/port.php?port=49152

    Also, look at this FAQ:
    https://www.speedguide.net/faq/how-c...y-computer-115

    You'd want to use the netstat command with the "-o" switch to find out the owning processes of these listening ports, then use task manager (or the equivalent in your OS) to find out exactly which process is using these ports. Once you establish which process uses them, you can look up possible vulnerabilities, updates, and decide whether you want it listening open to the world or behind a firewall.

    I hope this helps

  3. #3
    Junior Member
    Join Date
    Sep 2017
    Posts
    3
    First off, thank you for your reply

    "So, you have some app listening to port 53213. Yes, if you are on Apple this could be Xsan"

    Yes Im using a Mac. What exactly is Xsan? I read that it's been associated with vulnerabilities related to viruses and remote access trojans. Also, why does the Network Utility show a blank process next to port 53213 when the other open ports do show a process:

    Port Scanning host: 127.0.0.1

    Open TCP Port: 1110 nfsd-status
    Open TCP Port: 1538 3ds-lm
    Open TCP Port: 53213


    "You'd want to use the netstat command with the "-o" switch to find out the owning processes of these listening ports"

    When I typed the netstat -o command (the exact same way I did when I typed netstat -a, except for the change of letters of course), it returned: netstat: "illegal option -- o"

    Is there something Im doing wrong?

    Lastly, when I ran the netstat -a command just now, I got the following:

    tcp4 0 0 localhost.53213 localhost.55851 ESTABLISHED
    tcp4 0 0 localhost.55851 localhost.53213 ESTABLISHED
    tcp4 0 0 localhost.53213 *.* LISTEN

    In this case, localhost.49875 has been changed to localhost.55851 since the first time I ran the netstat -a command. Does this indicate anything suspicious? Thank you again for your help

  4. #4
    Administrator Philip's Avatar
    Join Date
    May 1999
    Location
    Jacksonville, Florida, United States
    Posts
    9,617
    Blog Entries
    6
    I believe OSX uses the BSD version of netstat, which does not show process IDs.. It might if you use the -v switch to increase verbosity level?

    I'd try the following to see the process id if netstat doesn't work:

    lsof -i :53213


    Not sure about xsan vulnerabilities, you may want to research it further, but keeping your OS up to date should most likely take care of the more glaring issues.

Similar Threads

  1. Question for all - mixed security in our network
    By John Carter in forum alt.comp.networking.routers
    Replies: 0
    Last Post: 04-21-09, 06:44 PM
  2. Simple Question : How do I open/close up port 6881??
    By greaTER in forum Software Forum
    Replies: 34
    Last Post: 01-12-09, 12:57 PM
  3. Home Network Security Question
    By Roody in forum Network Security
    Replies: 4
    Last Post: 02-06-05, 08:11 AM
  4. Security Test reveals a port open.. how do I close it?
    By TrevGlas in forum Network Security
    Replies: 7
    Last Post: 10-07-03, 01:59 AM
  5. Replies: 3
    Last Post: 10-12-02, 05:09 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •