Page 1 of 1

Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 11:34 am
by dragonfruit
I just ran nmap on an up-to-date installation and found **blackice-icecap** which I've never heard of.

Code: Select all

Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-18 11:41 BST
    Nmap scan report for 192.168.0.15
    Host is up (0.014s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    8081/tcp open  blackice-icecap <--------- ???
Search with Google came out empty except for some references back to 2007 where IBM declared the "personal antivirus" program named BlackIce for end-of-lifecycle.

Question: So now I'm wondering what it does and whether I should worry?

Code: Select all

me@raspberrypi ~ $ ps aux | grep blackice
    me    16207  0.0  0.4   3548  1840 pts/1    S+   11:13   0:00 grep --color=auto blackice

Code: Select all

dpkg --get-selections > list.txt
gives me a long list, but blackice doesn't come up (see below):

@moderators: Feel free to cut the list short.

acl install
adduser install
alsa-base install
alsa-utils install
apt install
...[cut for brevity]...
avahi-daemon install
base-files install
base-passwd install
bash install
bash-completion install
bc install
bind9-host install
binutils install
blt deinstall
bsdmainutils install
bsdutils install
build-essential install
bzip2 install
ca-certificates install
cgroup-bin install
cifs-utils install
colord install
console-setup install
console-setup-linux install
consolekit install
...[cut for brevity]...
zenity install
zenity-common install
zlib1g:armhf install
zlib1g-dev:armhf install

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 1:22 pm
by Paul Webster
It has made a guess based only on the port number.

Try a netstat - possibly
sudo netstat -tulpn
to see which processes are really using which ports.

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 1:58 pm
by DougieLawson
Paul Webster wrote:It has made a guess based only on the port number.

Try a netstat - possibly
sudo netstat -tulpn
to see which processes are really using which ports.
I normally use lsof for that
sudo apt-get install lsof
sudo lsof -i TCP:8081

8081 is going to be something like a proxy or a streaming service. Clearly nmap needs an update since blackice is dead and buried.

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 2:08 pm
by dragonfruit
Yes... there is no sign of blackice with netstat

Code: Select all

me@raspberrypi ~ $ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2114/nginx      
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      2204/fossil     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      11166/sshd      
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      20809/cupsd     
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           20538/avahi-daemon:
udp        0      0 0.0.0.0:59387           0.0.0.0:*                           11121/dhclient  
udp        0      0 0.0.0.0:53050           0.0.0.0:*                           20538/avahi-daemon:
udp        0      0 0.0.0.0:68              0.0.0.0:*                           11121/dhclient  
udp        0      0 0.0.0.0:631             0.0.0.0:*                           20809/cupsd     
udp        0      0 192.168.0.15:123        0.0.0.0:*                           20616/ntpd      
udp        0      0 127.0.0.1:123           0.0.0.0:*                           20616/ntpd      
udp        0      0 0.0.0.0:123             0.0.0.0:*                           20616/ntpd      
And lsof also comes out blank from "blackice". However fossil-scm seems to hold its place..

Code: Select all

me@raspberrypi ~ $ sudo lsof -i TCP:8081
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
fossil  2204 bjorn    3u  IPv4   6250      0t0  TCP *:tproxy (LISTEN)
Is that the correct interpretation?

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 3:10 pm
by DougieLawson
What's fossil and why is it running?
What happens if you telnet to port 8081?

Port 8081 is one of the standard ports for things that provide additional services to a web server or stream cameras or stuff like that.

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 3:20 pm
by B.Goode

Code: Select all

pi@RPi2B ~ $ apt-cache search fossil
fossil - DSCM with built-in wiki, http interface and server, tickets database
It doesn't seem that unlikely that it would be running a network listener to provide that "built-in wiki, http interface and server"

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 3:30 pm
by Paul Webster
This is fossil
http://fossil-scm.org/index.html/doc/tr ... index.wiki
Implies that you have added something to base Raspbian.

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Sat Jul 18, 2015 3:41 pm
by B.Goode
Fossil was previously in the list of packages shown by dpkg, before that list was redacted. I too would assume that @dragonfruit installed it.

Re: Undocumented service blackice-icecap running on 8081/tcp

Posted: Wed Jul 22, 2015 8:01 pm
by dragonfruit
Solved. It was nmap that incorrectly interpreted fossil based on port setting.