From owner-freebsd-questions@FreeBSD.ORG  Sun Sep 19 03:59:49 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D46891065672
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Sep 2010 03:59:49 +0000 (UTC) (envelope-from carlj@peak.org)
Received: from redcondor2.peak.org (redcondor2.peak.org [69.59.192.56])
	by mx1.freebsd.org (Postfix) with ESMTP id AB8A18FC0A
	for <freebsd-questions@freebsd.org>;
	Sun, 19 Sep 2010 03:59:49 +0000 (UTC)
Received: from peak-mail-gateway.peak.org ([69.59.192.41])
	by redcondor2.peak.org ({e8dac926-1ec8-47e6-b410-31008b345fb7})
	via TCP (outbound) with ESMTP id 20100919035931382
	for <freebsd-questions@freebsd.org>; Sun, 19 Sep 2010 03:59:31 +0000
X-RC-FROM: <carlj@peak.org>
X-RC-RCPT: <freebsd-questions@freebsd.org>
Received: from oak.localnet (207.55.91.197.peak.org [207.55.91.197] (may be
	forged))	by peak-mail-gateway.peak.org (8.12.10/8.12.8) with ESMTP id
	o8J3xTSl043506	for
	<freebsd-questions@freebsd.org>; Sat, 18 Sep 2010 20:59:30 -0700 (PDT)
Received: from oak.localnet (localhost [127.0.0.1])	by oak.localnet (Postfix)
	with ESMTP id 7C016CC95	for <freebsd-questions@freebsd.org>;
	Sat, 18 Sep 2010 20:59:29 -0700 (PDT)
Received: (from carlj@localhost)	by oak.localnet (8.14.4/8.14.4/Submit) id
	o8J3xTZs020871; Sat, 18
	Sep 2010 20:59:29 -0700 (PDT)	(envelope-from carlj@peak.org)
X-Authentication-Warning: oak.localnet: carlj set sender to carlj@peak.org
	using -f
From: Carl Johnson <carlj@peak.org>
To: freebsd-questions@freebsd.org
References: <87pqwar5sc.fsf@oak.localnet>	<E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com>
Date: Sat, 18 Sep 2010 20:59:29 -0700
In-Reply-To: <E0616266-D8C4-43CB-874D-1442CC4AE0F3@mac.com> (Chuck
	Swiger's	message of "Sat, 18 Sep 2010 19:45:10 -0700")
Message-ID: <87lj6yqt7i.fsf@oak.localnet>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: extra open ports in rkhunter
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Sep 2010 03:59:49 -0000

Chuck Swiger <cswiger@mac.com> writes:

> Hi--
>
> On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote:
>> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself:
>> 
>> tcp4       0      0 *.876                  *.*                    LISTEN
>> tcp6       0      0 *.921                  *.*                    LISTEN
>> udp4       0      0 *.608                  *.*
>> udp6       0      0 *.952                  *.*
>> udp6       0      0 *.804                  *.*
>
> Try:
>
>   lsof -i tcp:876
>
> ...and so forth for the other ports; this will give you the process ID of whatever is holding that socket.

lsof -i doesn't show any of those five ports.  It seems to show the same
ones as sockstat.  I should have mentioned previously that I verified
the tcp ports were open with nmap, but that wouldn't tell me what they
were.  I haven't figured out how to even verify the udp ports are
connected or open.  I also should have mentioned that I don't have any
reason to think that my system is infected, but I just wanted to
understand the difference.

Thanks for the reply.  I had completely forgotten about lsof.

-- 
Carl Johnson		carlj@peak.org