From owner-freebsd-security  Sat Sep  4  8:19:31 1999
Delivered-To: freebsd-security@freebsd.org
Received: from sonet.crimea.ua (OTC-sl3-FLY.CRIS.NET [212.110.136.71])
	by hub.freebsd.org (Postfix) with ESMTP id 483AC14EF1
	for <freebsd-security@FreeBSD.ORG>; Sat,  4 Sep 1999 08:19:01 -0700 (PDT)
	(envelope-from phantom@scorpion.crimea.ua)
Received: (from uucp@localhost)
	by sonet.crimea.ua (8.8.8/8.8.8) with UUCP id QAA20796;
	Sat, 4 Sep 1999 16:56:03 +0400 (MSD)
	(envelope-from phantom@scorpion.crimea.ua)
Received: (from phantom@localhost)
	by scorpion.crimea.ua (8.8.8/8.8.5+ssl+keepalive) id PAA02815;
	Sat, 4 Sep 1999 15:00:06 +0400 (MSD)
Date: Sat, 4 Sep 1999 15:00:06 +0400
From: Alexey Zelkin <phantom@cris.net>
To: "N. N.M" <madrapour@hotmail.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Tracing open ports on FreeBSD
Message-ID: <19990904150006.A2526@scorpion.crimea.ua>
References: <19990904112855.43007.qmail@hotmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.7i
In-Reply-To: <19990904112855.43007.qmail@hotmail.com>
X-Operating-System: FreeBSD 2.2.7-RELEASE i386
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

hi,

On Sat, Sep 04, 1999 at 04:28:53AM -0700, N. N.M wrote:

> 1) I realized that the TCP ports of 6010,6011,6012 and 6013 are openly 
> listening on my FreeBSD box. I don't know how this has happened, as they 
> were not open before. They are related to X11 as far as I know. But I had 
> already disabled XDM in /etc/ttys file. Could anybody tell me how I can 
> disable this stuff? Or how they could get opened and listening?
> 
> 2) This is some time that two UDP ports have got opened as well. Again, I 
> don't have any idea on how they have got enabled. The ports are 1352 and 
> 2699. Generally, how I can trace when a port gets suddenly enabled?

I can propose idea how to understand which process used this port.

for example -- how to find process which opened port 80 (aka http)

$ netstat -Ana | grep \*\.80
f0625d00 tcp		0	0 *.80		*.*		LISTEN

$ fstat | grep f00625d00
nobody	httpd		200	15* internet stream tcp f00625d00

first field is process owner
second	- name of process
third	- pid

-- 
/* Alexey Zelkin                       && phantom@cris.net    */
/* Tavrical National University        && phantom@crimea.edu  */
/* http://www.ccssu.crimea.ua/~phantom && phantom@FreeBSD.org */


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message