From owner-freebsd-questions@FreeBSD.ORG  Sun Sep 19 04:38:00 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 2FE9B106566B
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Sep 2010 04:38:00 +0000 (UTC) (envelope-from carlj@peak.org)
Received: from redcondor2.peak.org (redcondor2.peak.org [69.59.192.56])
	by mx1.freebsd.org (Postfix) with ESMTP id 068808FC15
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Sep 2010 04:37:59 +0000 (UTC)
Received: from peak-mail-gateway.peak.org ([69.59.192.42])
	by redcondor2.peak.org ({e8dac926-1ec8-47e6-b410-31008b345fb7})
	via TCP (outbound) with ESMTP id 20100919043759292
	for <freebsd-questions@freebsd.org>; Sun, 19 Sep 2010 04:37:59 +0000
X-RC-FROM: <carlj@peak.org>
X-RC-RCPT: <freebsd-questions@freebsd.org>
Received: from oak.localnet (207.55.91.197.peak.org [207.55.91.197] (may be
	forged))	by peak-mail-gateway.peak.org (8.12.10/8.12.8) with ESMTP id
	o8J4btNS085018	for
	<freebsd-questions@freebsd.org>; Sat, 18 Sep 2010 21:37:59 -0700 (PDT)
Received: from oak.localnet (localhost [127.0.0.1])	by oak.localnet (Postfix)
	with ESMTP id 0CDF8CC95	for <freebsd-questions@freebsd.org>;
	Sat, 18 Sep 2010 21:37:55 -0700 (PDT)
Received: (from carlj@localhost)	by oak.localnet (8.14.4/8.14.4/Submit) id
	o8J4bsJm021078; Sat, 18
	Sep 2010 21:37:54 -0700 (PDT)	(envelope-from carlj@peak.org)
X-Authentication-Warning: oak.localnet: carlj set sender to carlj@peak.org
	using -f
From: Carl Johnson <carlj@peak.org>
To: freebsd-questions@freebsd.org
References: <87pqwar5sc.fsf@oak.localnet>	<E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com>
	<86tylmzb3j.fsf@gmail.com>
Date: Sat, 18 Sep 2010 21:37:54 -0700
In-Reply-To: <86tylmzb3j.fsf@gmail.com> (Anonymous's message of "Sun,
	19 Sep	2010 07:05:52 +0400")
Message-ID: <87hbhmqrfh.fsf@oak.localnet>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: extra open ports in rkhunter
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2010 04:38:00 -0000

Anonymous <swell.k@gmail.com> writes:

> Chuck Swiger <cswiger@mac.com> writes:
>
>> Hi--
>>
>> On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote:
>>> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself:
>>> 
>>> tcp4       0      0 *.876                  *.*                    LISTEN
>>> tcp6       0      0 *.921                  *.*                    LISTEN
>>> udp4       0      0 *.608                  *.*
>>> udp6       0      0 *.952                  *.*
>>> udp6       0      0 *.804                  *.*
>
> Do you have some networking FS enabled (NFS, AFS, Coda, etc)? Perhaps,
> one of them listens for connections from kernel and is not associated
> with userland process. But it's just a guess.

I have NFS enabled, but its processes are accounted for by both sockstat
and netstat.

> Speaking of processes, procstat(1) can show them, too.

Procstat seems to show the same ports as sockstat and doesn't show any
of the extra ports that netstat does.

Thanks for the reply.
-- 
Carl Johnson		carlj@peak.org