Undocumented service blackice-icecap running on 8081/tcp

[dragonfruit]

I just ran nmap on an up-to-date installation and found **blackice-icecap** which I've never heard of.

Code: Select all

Starting Nmap 6.40 ( http://nmap.org ) at 2015-07-18 11:41 BST
    Nmap scan report for 192.168.0.15
    Host is up (0.014s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    8081/tcp open  blackice-icecap <--------- ???

Search with Google came out empty except for some references back to 2007 where IBM declared the "personal antivirus" program named BlackIce for end-of-lifecycle.

Question: So now I'm wondering what it does and whether I should worry?

Code: Select all

me@raspberrypi ~ $ ps aux | grep blackice
    me    16207  0.0  0.4   3548  1840 pts/1    S+   11:13   0:00 grep --color=auto blackice

Code: Select all

dpkg --get-selections > list.txt

gives me a long list, but blackice doesn't come up (see below):

@moderators: Feel free to cut the list short.

acl install
adduser install
alsa-base install
alsa-utils install
apt install
...[cut for brevity]...
avahi-daemon install
base-files install
base-passwd install
bash install
bash-completion install
bc install
bind9-host install
binutils install
blt deinstall
bsdmainutils install
bsdutils install
build-essential install
bzip2 install
ca-certificates install
cgroup-bin install
cifs-utils install
colord install
console-setup install
console-setup-linux install
consolekit install
...[cut for brevity]...
zenity install
zenity-common install
zlib1g:armhf install
zlib1g-dev:armhf install

[Paul Webster]

It has made a guess based only on the port number.

Try a netstat - possibly
sudo netstat -tulpn
to see which processes are really using which ports.

[DougieLawson]

It has made a guess based only on the port number.

Try a netstat - possibly
sudo netstat -tulpn
to see which processes are really using which ports.

I normally use lsof for that
sudo apt-get install lsof
sudo lsof -i TCP:8081

8081 is going to be something like a proxy or a streaming service. Clearly nmap needs an update since blackice is dead and buried.

[dragonfruit]

Yes... there is no sign of blackice with netstat

Code: Select all

me@raspberrypi ~ $ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2114/nginx      
tcp        0      0 0.0.0.0:8081            0.0.0.0:*               LISTEN      2204/fossil     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      11166/sshd      
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      20809/cupsd     
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           20538/avahi-daemon:
udp        0      0 0.0.0.0:59387           0.0.0.0:*                           11121/dhclient  
udp        0      0 0.0.0.0:53050           0.0.0.0:*                           20538/avahi-daemon:
udp        0      0 0.0.0.0:68              0.0.0.0:*                           11121/dhclient  
udp        0      0 0.0.0.0:631             0.0.0.0:*                           20809/cupsd     
udp        0      0 192.168.0.15:123        0.0.0.0:*                           20616/ntpd      
udp        0      0 127.0.0.1:123           0.0.0.0:*                           20616/ntpd      
udp        0      0 0.0.0.0:123             0.0.0.0:*                           20616/ntpd      

And lsof also comes out blank from "blackice". However fossil-scm seems to hold its place..

Code: Select all

me@raspberrypi ~ $ sudo lsof -i TCP:8081
COMMAND  PID  USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
fossil  2204 bjorn    3u  IPv4   6250      0t0  TCP *:tproxy (LISTEN)

Is that the correct interpretation?

[DougieLawson]

What's fossil and why is it running?
What happens if you telnet to port 8081?

Port 8081 is one of the standard ports for things that provide additional services to a web server or stream cameras or stuff like that.

[B.Goode]

Code: Select all

pi@RPi2B ~ $ apt-cache search fossil
fossil - DSCM with built-in wiki, http interface and server, tickets database

It doesn't seem that unlikely that it would be running a network listener to provide that "built-in wiki, http interface and server"

[Paul Webster]

This is fossil
http://fossil-scm.org/index.html/doc/tr ... index.wiki
Implies that you have added something to base Raspbian.

[B.Goode]

Fossil was previously in the list of packages shown by dpkg, before that list was redacted. I too would assume that @dragonfruit installed it.

[dragonfruit]

Solved. It was nmap that incorrectly interpreted fossil based on port setting.