From owner-freebsd-questions@freebsd.org  Mon Feb 18 09:36:45 2019
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7399E14F9145
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 18 Feb 2019 09:36:45 +0000 (UTC)
 (envelope-from srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from mail.sermon-archive.info (sermon-archive.info [71.177.216.148])
 by mx1.freebsd.org (Postfix) with ESMTP id 7742B86258
 for <freebsd-questions@freebsd.org>; Mon, 18 Feb 2019 09:36:44 +0000 (UTC)
 (envelope-from srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info)
Received: from [10.0.1.251] (mini [10.0.1.251])
 by mail.sermon-archive.info (Postfix) with ESMTPSA id 442zK01Zlgz2fjRd;
 Mon, 18 Feb 2019 01:36:36 -0800 (PST)
Content-Type: text/plain;
	charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Subject: Re: Cannot identify process of listening port 600/tcp6
From: Doug Hardie <bc979@lafn.org>
In-Reply-To: <1550472991548-0.post@n6.nabble.com>
Date: Mon, 18 Feb 2019 01:36:35 -0800
Cc: freebsd-questions@freebsd.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B3B92BC-BD58-4FA3-B6BD-16BA74A8D944@mail.sermon-archive.info>
References: <1550339000372-0.post@n6.nabble.com>
 <20190216185344.95cb4ec3.freebsd@edvax.de>
 <1550341736004-0.post@n6.nabble.com>
 <ED59A34B-1AAA-46F1-81E1-4127ABD5C875@bsdops.com>
 <1550345837921-0.post@n6.nabble.com> <1550472991548-0.post@n6.nabble.com>
To: BBlister <bblister@gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-Virus-Scanned: clamav-milter 0.100.2 at mail
X-Virus-Status: Clean
X-Rspamd-Queue-Id: 7742B86258
X-Spamd-Bar: /
Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of
 srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info designates
 71.177.216.148 as permitted sender)
 smtp.mailfrom=srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info
X-Spamd-Result: default: False [-0.59 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.65)[-0.646,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:71.177.216.148]; MV_CASE(0.50)[];
 MIME_GOOD(-0.10)[text/plain];
 IP_SCORE(-0.02)[asn: 5650(-0.02), country: US(-0.07)];
 NEURAL_HAM_LONG(-0.82)[-0.820,0];
 NEURAL_SPAM_SHORT(0.30)[0.300,0];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[sermon-archive.info]; RCPT_COUNT_TWO(0.00)[2];
 RCVD_IN_DNSWL_NONE(0.00)[148.216.177.71.list.dnswl.org : 127.0.10.0];
 FORGED_SENDER(0.30)[bc979@lafn.org,srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info];
 FREEMAIL_TO(0.00)[gmail.com]; RCVD_NO_TLS_LAST(0.10)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:5650, ipnet:71.177.216.0/23, country:US];
 FROM_NEQ_ENVFROM(0.00)[bc979@lafn.org,srs0=zy1j=qz=mail.sermon-archive.info=doug@sermon-archive.info];
 RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 09:36:45 -0000

> On 17 February 2019, at 22:56, BBlister <bblister@gmail.com> wrote:
>=20
> =46rom FreeBSD Forums
> =
https://forums.freebsd.org/threads/listening-port-600-tcp6-cannot-be-mappe=
d-to-process-am-i-hacked.69624/#post-417787
>=20
>> You could make the firewall log activity on that port.
>> Also, you can use tcpdump to analyze the content of the datagrams.
>> If I recall correctly, nmap has a service discovery mode and it can =
try to
>> detect what exactly is listening on > the port.
>>=20
>=20
> My reply:
> I have executed tcpdump for 24 hours but I couln't receive/send any =
packet
> destined for that port. This is a passive way of detecting what is
> happening, and involves reverse engineering, because the datagram may =
be
> encrypted.
>=20
> It is difficult to wait for a packet to arrive or depart on port 600 =
(maybe
> it is trojan waiting to be activated?).=20
>=20
> I find it strange that FreeBSD does not have a tool to detect kernel
> listening sockets and the only way to detect what is happening it just =
by
> sniffing and trying to figure out the datagrams.
>=20
>=20
> What should I try next?

Possibly =
https://www.linuxquestions.org/questions/linux-security-4/nessus-security-=
notes-about-ipcserver-port-600-a-339908/ might provide some helpful =
information.