From owner-freebsd-questions  Tue Sep 19  5:17:41 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.westgate.gr (zeus.westgate.gr [212.205.119.32])
	by hub.freebsd.org (Postfix) with SMTP id C1D2A37B422
	for <freebsd-questions@FreeBSD.ORG>; Tue, 19 Sep 2000 05:17:38 -0700 (PDT)
Received: (qmail 11281 invoked from network); 19 Sep 2000 12:15:22 -0000
Received: from gray.westgate.gr (root@212.205.119.66)
  by zeus.westgate.gr with SMTP; 19 Sep 2000 12:15:22 -0000
Received: (from charon@localhost)
	by gray.westgate.gr (8.11.0/8.11.0) id e8JCHX100537;
	Tue, 19 Sep 2000 15:17:33 +0300 (EEST)
Date: Tue, 19 Sep 2000 15:17:31 +0300
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: John Indra <john@indocyber.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Hunt a nasty program
Message-ID: <20000919151730.A352@gray.westgate.gr>
References: <20000919191240.A355@indocyber.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20000919191240.A355@indocyber.com>; from john@indocyber.com on Tue, Sep 19, 2000 at 07:12:40PM +0700
X-PGP-Fingerprint: 3A 75 52 EB F1 58 56 0D - C5 B8 21 B6 1B 5E 4A C2
X-URL: http://students.ceid.upatras.gr/~keramida/index.html
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Tue, Sep 19, 2000 at 07:12:40PM +0700, John Indra wrote:
> Dear FreeBSD users...
> 
> I'm suspecting that my system somehow has a program to ``attract'' SYN (as
> in SYN FLOOD) packet from remote computer. I'd like to hunt and kill the
> program. I know that it open a connection to certain host, but I don't which
> file did that.
> 
> How do I hunt that nasty program?

You can use sockstat(1) to see which program has opened a network
connection.  For instance, on my machine I see:

	% sockstat
        USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
        root     nmbd       180    5 udp4   *.137                 *.*
        root     nmbd       180    6 udp4   *.138                 *.*
        root     nmbd       180    7 udp4   212.205.119.66.137    *.*
        root     nmbd       180    8 udp4   212.205.119.66.138    *.*
        root     smbd       178    5 tcp4   *.139                 *.*
        root     sshd       117    3 tcp4   *.22                  *.*
        root     sendmail   113    4 tcp4   *.25                  *.*
        root     inetd      108    4 udp4   *.518                 *.*
        root     inetd      108    5 tcp4   *.2401                *.*
        root     inetd      108    6 tcp4   *.113                 *.*
        root     inetd      108    7 tcp4   *.119                 *.*
        root     inetd      108    8 tcp4   *.23                  *.*
        root     inetd      108    9 tcp4   *.21                  *.*
        root     syslogd     81    4 udp4   *.514                 *.*

-- 
Giorgos Keramidas, <keramida@ceid.upatras.gr>
For my public pgp2 key: finger -l keramida@diogenis.ceid.upatras.gr


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message