Date: Sun, 19 Sep 2010 07:05:52 +0400 From: Anonymous <swell.k@gmail.com> To: Carl Johnson <carlj@peak.org> Cc: freebsd-questions@freebsd.org Subject: Re: extra open ports in rkhunter Message-ID: <86tylmzb3j.fsf@gmail.com> In-Reply-To: <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com> (Chuck Swiger's message of "Sat, 18 Sep 2010 19:45:10 -0700") References: <87pqwar5sc.fsf@oak.localnet> <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger <cswiger@mac.com> writes: > Hi-- > > On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote: >> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself: >> >> tcp4 0 0 *.876 *.* LISTEN >> tcp6 0 0 *.921 *.* LISTEN >> udp4 0 0 *.608 *.* >> udp6 0 0 *.952 *.* >> udp6 0 0 *.804 *.* Do you have some networking FS enabled (NFS, AFS, Coda, etc)? Perhaps, one of them listens for connections from kernel and is not associated with userland process. But it's just a guess. > > Try: > > lsof -i tcp:876 > > ...and so forth for the other ports; this will give you the process ID of whatever is holding that socket. Speaking of processes, procstat(1) can show them, too. $ procstat -af | (IFS= read hdr && echo $hdr; fgrep UDP) PID COMM FD T V FLAGS REF OFFSET PRO NAME 1023 syslogd 6 s - rw------ 1 0 UDP ::.514 ::.0 1023 syslogd 7 s - rw------ 1 0 UDP 0.0.0.0:514 0.0.0.0:0 1170 nfsuserd 3 s - rw------ 8 0 UDP 0.0.0.0:998 0.0.0.0:0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86tylmzb3j.fsf>