From owner-freebsd-questions@freebsd.org Mon Feb 18 06:56:40 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C04A114F5167 for ; Mon, 18 Feb 2019 06:56:40 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (n6.nabble.com [162.255.23.37]) by mx1.freebsd.org (Postfix) with ESMTP id B189C809FB for ; Mon, 18 Feb 2019 06:56:38 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (localhost [127.0.0.1]) by n6.nabble.com (Postfix) with ESMTP id 90722C66B8FD for ; Sun, 17 Feb 2019 23:56:31 -0700 (MST) Date: Sun, 17 Feb 2019 23:56:31 -0700 (MST) From: BBlister To: freebsd-questions@freebsd.org Message-ID: <1550472991548-0.post@n6.nabble.com> In-Reply-To: <1550345837921-0.post@n6.nabble.com> References: <1550339000372-0.post@n6.nabble.com> <20190216185344.95cb4ec3.freebsd@edvax.de> <1550341736004-0.post@n6.nabble.com> <1550345837921-0.post@n6.nabble.com> Subject: Re: Cannot identify process of listening port 600/tcp6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: B189C809FB X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 162.255.23.37 is neither permitted nor denied by domain of bblister@gmail.com) smtp.mailfrom=bblister@gmail.com X-Spamd-Result: default: False [0.79 / 15.00]; ARC_NA(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.64)[0.639,0]; IP_SCORE(0.19)[ip: (0.80), ipnet: 162.255.20.0/22(0.17), asn: 21624(0.04), country: US(-0.07)]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_SPAM_LONG(0.35)[0.350,0]; RCVD_IN_DNSWL_NONE(0.00)[37.23.255.162.list.dnswl.org : 127.0.10.0]; NEURAL_HAM_SHORT(-0.47)[-0.473,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:21624, ipnet:162.255.20.0/22, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Feb 2019 06:56:40 -0000 >From FreeBSD Forums https://forums.freebsd.org/threads/listening-port-600-tcp6-cannot-be-mapped-to-process-am-i-hacked.69624/#post-417787 > You could make the firewall log activity on that port. > Also, you can use tcpdump to analyze the content of the datagrams. > If I recall correctly, nmap has a service discovery mode and it can try to > detect what exactly is listening on > the port. > My reply: I have executed tcpdump for 24 hours but I couln't receive/send any packet destined for that port. This is a passive way of detecting what is happening, and involves reverse engineering, because the datagram may be encrypted. It is difficult to wait for a packet to arrive or depart on port 600 (maybe it is trojan waiting to be activated?). I find it strange that FreeBSD does not have a tool to detect kernel listening sockets and the only way to detect what is happening it just by sniffing and trying to figure out the datagrams. What should I try next? -- Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html