Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Feb 2019 01:36:35 -0800
From:      Doug Hardie <bc979@lafn.org>
To:        BBlister <bblister@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Cannot identify process of listening port 600/tcp6
Message-ID:  <5B3B92BC-BD58-4FA3-B6BD-16BA74A8D944@mail.sermon-archive.info>
In-Reply-To: <1550472991548-0.post@n6.nabble.com>
References:  <1550339000372-0.post@n6.nabble.com> <20190216185344.95cb4ec3.freebsd@edvax.de> <1550341736004-0.post@n6.nabble.com> <ED59A34B-1AAA-46F1-81E1-4127ABD5C875@bsdops.com> <1550345837921-0.post@n6.nabble.com> <1550472991548-0.post@n6.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
> On 17 February 2019, at 22:56, BBlister <bblister@gmail.com> wrote:
>=20
> =46rom FreeBSD Forums
> =
https://forums.freebsd.org/threads/listening-port-600-tcp6-cannot-be-mappe=
d-to-process-am-i-hacked.69624/#post-417787
>=20
>> You could make the firewall log activity on that port.
>> Also, you can use tcpdump to analyze the content of the datagrams.
>> If I recall correctly, nmap has a service discovery mode and it can =
try to
>> detect what exactly is listening on > the port.
>>=20
>=20
> My reply:
> I have executed tcpdump for 24 hours but I couln't receive/send any =
packet
> destined for that port. This is a passive way of detecting what is
> happening, and involves reverse engineering, because the datagram may =
be
> encrypted.
>=20
> It is difficult to wait for a packet to arrive or depart on port 600 =
(maybe
> it is trojan waiting to be activated?).=20
>=20
> I find it strange that FreeBSD does not have a tool to detect kernel
> listening sockets and the only way to detect what is happening it just =
by
> sniffing and trying to figure out the datagrams.
>=20
>=20
> What should I try next?

Possibly =
https://www.linuxquestions.org/questions/linux-security-4/nessus-security-=
notes-about-ipcserver-port-600-a-339908/ might provide some helpful =
information.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5B3B92BC-BD58-4FA3-B6BD-16BA74A8D944>