Date: Sun, 19 Sep 2010 07:05:52 +0400 From: Anonymous <swell.k@gmail.com> To: Carl Johnson <carlj@peak.org> Cc: freebsd-questions@freebsd.org Subject: Re: extra open ports in rkhunter Message-ID: <86tylmzb3j.fsf@gmail.com> In-Reply-To: <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com> (Chuck Swiger's message of "Sat, 18 Sep 2010 19:45:10 -0700") References: <87pqwar5sc.fsf@oak.localnet> <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger <cswiger@mac.com> writes:
> Hi--
>
> On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote:
>> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself:
>>
>> tcp4 0 0 *.876 *.* LISTEN
>> tcp6 0 0 *.921 *.* LISTEN
>> udp4 0 0 *.608 *.*
>> udp6 0 0 *.952 *.*
>> udp6 0 0 *.804 *.*
Do you have some networking FS enabled (NFS, AFS, Coda, etc)? Perhaps,
one of them listens for connections from kernel and is not associated
with userland process. But it's just a guess.
>
> Try:
>
> lsof -i tcp:876
>
> ...and so forth for the other ports; this will give you the process ID of whatever is holding that socket.
Speaking of processes, procstat(1) can show them, too.
$ procstat -af | (IFS= read hdr && echo $hdr; fgrep UDP)
PID COMM FD T V FLAGS REF OFFSET PRO NAME
1023 syslogd 6 s - rw------ 1 0 UDP ::.514 ::.0
1023 syslogd 7 s - rw------ 1 0 UDP 0.0.0.0:514 0.0.0.0:0
1170 nfsuserd 3 s - rw------ 8 0 UDP 0.0.0.0:998 0.0.0.0:0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86tylmzb3j.fsf>