From owner-freebsd-questions@freebsd.org Wed Feb 20 02:53:53 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 121B914E2EF9 for ; Wed, 20 Feb 2019 02:53:53 +0000 (UTC) (envelope-from freebsd@gregv.net) Received: from aurora.gregv.net (aurora.gregv.net [IPv6:2607:5600:bd::1:1000]) by mx1.freebsd.org (Postfix) with ESMTP id 26ECE889EA for ; Wed, 20 Feb 2019 02:53:52 +0000 (UTC) (envelope-from freebsd@gregv.net) Received: by aurora.gregv.net (Postfix, from userid 1001) id 8927D61FD3; Tue, 19 Feb 2019 21:53:50 -0500 (EST) Date: Tue, 19 Feb 2019 21:53:50 -0500 From: Greg Veldman To: BBlister Cc: freebsd-questions@freebsd.org Subject: Re: Cannot identify process of listening port 600/tcp6 Message-ID: <20190220025350.GE98237@aurora.gregv.net> References: <1550339000372-0.post@n6.nabble.com> <5b5f72fc-c054-ea43-6602-e7bdb742d657@sentex.net> <1550602404163-0.post@n6.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1550602404163-0.post@n6.nabble.com> User-Agent: Mutt/1.11.2 (2019-01-07) X-Rspamd-Queue-Id: 26ECE889EA X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [4.38 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.96)[0.956,0]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[gregv.net]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.998,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: mail.gregv.net]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.98)[0.985,0]; R_SPF_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:31863, ipnet:2607:5600::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(0.45)[asn: 31863(2.33), country: US(-0.07)] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2019 02:53:53 -0000 On Tue, Feb 19, 2019 at 11:53:24AM -0700, BBlister wrote: > Yes you are right. If I kill rpc.lockd the two listening ports disappear. If > I re-execute, then I can see two new unknown listening ports on other > locations. For example, now I have 815/tcp4 and 874/tcp6 . > > So I believe I should ask the freebsd-hackers which rpc.lockd cannot be > listed on the sockstat or lsof (which means that this could be a way for a > malicious process to do exactly what lockd does and open ports without being > identified). rpcinfo -p on the host should show you all running RPC services and the port they're listening on. It's another good thing to check besides lsof/sockstat when looking for open ports. -- Greg Veldman freebsd@gregv.net