Date: Tue, 19 Sep 2000 15:17:31 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: John Indra <john@indocyber.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Hunt a nasty program Message-ID: <20000919151730.A352@gray.westgate.gr> In-Reply-To: <20000919191240.A355@indocyber.com>; from john@indocyber.com on Tue, Sep 19, 2000 at 07:12:40PM %2B0700 References: <20000919191240.A355@indocyber.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 19, 2000 at 07:12:40PM +0700, John Indra wrote:
> Dear FreeBSD users...
>
> I'm suspecting that my system somehow has a program to ``attract'' SYN (as
> in SYN FLOOD) packet from remote computer. I'd like to hunt and kill the
> program. I know that it open a connection to certain host, but I don't which
> file did that.
>
> How do I hunt that nasty program?
You can use sockstat(1) to see which program has opened a network
connection. For instance, on my machine I see:
% sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root nmbd 180 5 udp4 *.137 *.*
root nmbd 180 6 udp4 *.138 *.*
root nmbd 180 7 udp4 212.205.119.66.137 *.*
root nmbd 180 8 udp4 212.205.119.66.138 *.*
root smbd 178 5 tcp4 *.139 *.*
root sshd 117 3 tcp4 *.22 *.*
root sendmail 113 4 tcp4 *.25 *.*
root inetd 108 4 udp4 *.518 *.*
root inetd 108 5 tcp4 *.2401 *.*
root inetd 108 6 tcp4 *.113 *.*
root inetd 108 7 tcp4 *.119 *.*
root inetd 108 8 tcp4 *.23 *.*
root inetd 108 9 tcp4 *.21 *.*
root syslogd 81 4 udp4 *.514 *.*
--
Giorgos Keramidas, <keramida@ceid.upatras.gr>
For my public pgp2 key: finger -l keramida@diogenis.ceid.upatras.gr
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000919151730.A352>