Date: Sat, 18 Sep 2010 20:59:29 -0700 From: Carl Johnson <carlj@peak.org> To: freebsd-questions@freebsd.org Subject: Re: extra open ports in rkhunter Message-ID: <87lj6yqt7i.fsf@oak.localnet> In-Reply-To: <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com> (Chuck Swiger's message of "Sat, 18 Sep 2010 19:45:10 -0700") References: <87pqwar5sc.fsf@oak.localnet> <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Chuck Swiger <cswiger@mac.com> writes: > Hi-- > > On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote: >> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself: >> >> tcp4 0 0 *.876 *.* LISTEN >> tcp6 0 0 *.921 *.* LISTEN >> udp4 0 0 *.608 *.* >> udp6 0 0 *.952 *.* >> udp6 0 0 *.804 *.* > > Try: > > lsof -i tcp:876 > > ...and so forth for the other ports; this will give you the process ID of whatever is holding that socket. lsof -i doesn't show any of those five ports. It seems to show the same ones as sockstat. I should have mentioned previously that I verified the tcp ports were open with nmap, but that wouldn't tell me what they were. I haven't figured out how to even verify the udp ports are connected or open. I also should have mentioned that I don't have any reason to think that my system is infected, but I just wanted to understand the difference. Thanks for the reply. I had completely forgotten about lsof. -- Carl Johnson carlj@peak.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87lj6yqt7i.fsf>