From owner-freebsd-questions@FreeBSD.ORG Mon May 1 09:36:48 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07F5116A405 for ; Mon, 1 May 2006 09:36:48 +0000 (UTC) (envelope-from nivo+sender+6075ff@yuckfou.org) Received: from ssdd.xs4all.nl (ssdd.xs4all.nl [195.64.89.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E8CF43D48 for ; Mon, 1 May 2006 09:36:47 +0000 (GMT) (envelope-from nivo+sender+6075ff@yuckfou.org) Received: from localhost (localhost [127.0.0.1]) by imhotep.yuckfou.org (Postfix) with ESMTP id 02595D2 for ; Mon, 1 May 2006 11:37:52 +0200 (CEST) Received: from ssdd.xs4all.nl ([127.0.0.1]) by localhost (imhotep.is-root.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91786-09 for ; Mon, 1 May 2006 11:37:46 +0200 (CEST) Received: by imhotep.yuckfou.org (Postfix, from userid 1000) id E95FEC5; Mon, 1 May 2006 11:37:45 +0200 (CEST) Received: from [192.168.2.239] (turbata-xp.is-root.com [192.168.2.239]) by localhost.yuckfou.org (tmda-ofmipd) with ESMTP; Mon, 01 May 2006 11:37:45 +0200 (CEST) Message-ID: <4455D6CB.4000400@yuckfou.org> Date: Mon, 01 May 2006 11:37:15 +0200 User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <73cb07950604301352w15a543d7sb3828504ca416da8@mail.gmail.com> <20060430205854.GA6843@shodan.nognu.de> In-Reply-To: <20060430205854.GA6843@shodan.nognu.de> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=AD3A5AAD; url=http://www.is-root.com/nv.pgp Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit From: Nils Vogels X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) X-TMDA-Fingerprint: TPk4r7W/yrIJuFG4yBTRjickXQg X-Virus-Scanned: amavisd-new at is-root.com X-Spam-Status: No, score=-4.874 tagged_above=-999 required=6.31 tests=[ALL_TRUSTED=-1.8, AWL=-0.475, BAYES_00=-2.599] X-Spam-Score: -4.874 X-Spam-Level: Subject: Re: Hacked? How can I tell what process is sending packets from a particular port (udp/55613)? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Nils Vogels List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2006 09:36:48 -0000 Frank Steinborn wrote on 30-04-2006 22:58: > boink wrote: > >> Dear FreeBSD, >> >> I see outbound packets from udp/55613, one every 5 seconds, to a >> single non-routable (10....) IP, with destination port increasing by 1 >> with each packet, with expected ICMP Destination net unreachables from >> an upstream router. >> >> AFAIK, there's no reason for this and I don't like it - how can I tell >> which process is sending the packets? >> >> With thanks in advance, >> boink >> > > Try to catch the process with "sockstat -46p 55613" > Should that not give you the results you desire, try installing lsof, it has a bundle of options for open filehandles. HTH, Nils