You should know about every process which is listening to a port
on your machine --- what it's called and why its listening.
netstat can be used on the machine (e.g., netstat -a | grep LIST) but this is based on the assumption that the the host has not been compromised (any decent intruder will trojan netstat in order to hide their presence).
A better approach is to scan for open ports from a second machine. This second machine must be able to "see through" any firewall --- alternatively, simple turn any such firewall temporarily. nmap is ideal for this. For example, to scan privileged ports on dog.sub.domain from cat.sub.domain:
cat> nmap -vv -sT -p 1--1023 dog.sub.domain Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host dog.sub.domain (130.88.???.???) appears to be up ... good. Initiating Connect() Scan against dog.sub.domain (130.88.???.???) Adding open port 25/tcp Adding open port 787/tcp Adding open port 111/tcp Adding open port 587/tcp Adding open port 22/tcp Bumping up senddelay by 10000 (to 10000), due to excessive drops The Connect() Scan took 30 seconds to scan 1023 ports. Interesting ports on eric.umist.ac.uk (130.88.99.9): (The 1018 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 111/tcp open sunrpc 587/tcp open submission 787/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 30 secondsCommonly-used nmap options:
-v, -vv, -vvv verbose, very verbose... -sT, -sU TCP scan, UDP scan -p m-n range to scan (to scan all ports, omit this)
Armed with information such as that above, you should identify the daemon
responsible for each open port (e.g., by using lsof --- see
...cont's | next... |