From owner-freebsd-hackers@freebsd.org Tue Feb 19 21:13:41 2019 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AEDED14D9B0E for ; Tue, 19 Feb 2019 21:13:41 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (n6.nabble.com [162.255.23.37]) by mx1.freebsd.org (Postfix) with ESMTP id 120E674210 for ; Tue, 19 Feb 2019 21:13:40 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (localhost [127.0.0.1]) by n6.nabble.com (Postfix) with ESMTP id 8FDD8C6F4E42 for ; Tue, 19 Feb 2019 14:13:39 -0700 (MST) Date: Tue, 19 Feb 2019 14:13:39 -0700 (MST) From: BBlister To: freebsd-hackers@freebsd.org Message-ID: <1550610819543-0.post@n6.nabble.com> Subject: userland process rpc.lockd opens untraceable ports...is something wrong here? MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 120E674210 X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 162.255.23.37 is neither permitted nor denied by domain of bblister@gmail.com) smtp.mailfrom=bblister@gmail.com X-Spamd-Result: default: False [2.90 / 15.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.65)[0.647,0]; SUBJECT_ENDS_QUESTION(1.00)[]; NEURAL_SPAM_SHORT(0.40)[0.398,0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_SPAM_LONG(0.61)[0.608,0]; RCVD_IN_DNSWL_NONE(0.00)[37.23.255.162.list.dnswl.org : 127.0.10.0]; IP_SCORE(0.15)[ip: (0.65), ipnet: 162.255.20.0/22(0.16), asn: 21624(0.04), country: US(-0.07)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:21624, ipnet:162.255.20.0/22, country:US]; RCVD_COUNT_TWO(0.00)[2]; FREEMAIL_ENVFROM(0.00)[gmail.com]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 21:13:41 -0000 HI, During a security auditing on one FreeBSD 11.2 server I noticed that something was listening on a tcp4 and tcp6 port. This could not be traced back using lsof or sockstat. sockstat returned ? for the process name, and lsof did not list the port opened. The port was opened because i could telnet to it. I opened a thread at freebsd-questions (Cannot identify process of listening port 600/tcp6). You can find the archive of that thread here: http://freebsd.1045724.x6.nabble.com/Cannot-identify-process-of-listening-port-600-tcp6-td6314916.html After many trials, I found out that these ports were opened by rpc.locked. Killing that process removed the two listening ports. Restarting the process, opened two new random ports bellow 1024 that could not be traced back using all FreeBSD tools that I know to the userland process. And here is my question: How is this happening? What magic trick did rpc.lockd process utilizes and hides itself from security auditing tools like lsof or sockstat? Why rpc.lockd is the only process that hides itself from locating what ports it has opened? Is there any other tool except lsof/sockstat that can backtrace the listening port to the process rpc.locked? but the most important question: Can this trickery being exploited by a malicious process and open listening ports without being traced using lsof/sockstat? Yours valuable thoughts are most welcome. Thanks. -- Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-hackers-f4034256.html