From owner-freebsd-questions@freebsd.org Tue Feb 19 18:53:32 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3C65014F94C8 for ; Tue, 19 Feb 2019 18:53:32 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (n6.nabble.com [162.255.23.37]) by mx1.freebsd.org (Postfix) with ESMTP id 0915A6D37F for ; Tue, 19 Feb 2019 18:53:30 +0000 (UTC) (envelope-from bblister@gmail.com) Received: from n6.nabble.com (localhost [127.0.0.1]) by n6.nabble.com (Postfix) with ESMTP id 30EDDC6EC189 for ; Tue, 19 Feb 2019 11:53:24 -0700 (MST) Date: Tue, 19 Feb 2019 11:53:24 -0700 (MST) From: BBlister To: freebsd-questions@freebsd.org Message-ID: <1550602404163-0.post@n6.nabble.com> In-Reply-To: <5b5f72fc-c054-ea43-6602-e7bdb742d657@sentex.net> References: <1550339000372-0.post@n6.nabble.com> <5b5f72fc-c054-ea43-6602-e7bdb742d657@sentex.net> Subject: Re: Cannot identify process of listening port 600/tcp6 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 0915A6D37F X-Spamd-Bar: + Authentication-Results: mx1.freebsd.org; dmarc=fail reason="" header.from=gmail.com (policy=none); spf=softfail (mx1.freebsd.org: 162.255.23.37 is neither permitted nor denied by domain of bblister@gmail.com) smtp.mailfrom=bblister@gmail.com X-Spamd-Result: default: False [1.92 / 15.00]; ARC_NA(0.00)[]; DMARC_POLICY_SOFTFAIL(0.10)[gmail.com : No valid SPF, No valid DKIM,none]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_SPAM_MEDIUM(0.71)[0.708,0]; IP_SCORE(0.17)[ip: (0.71), ipnet: 162.255.20.0/22(0.17), asn: 21624(0.04), country: US(-0.07)]; NEURAL_SPAM_SHORT(0.83)[0.825,0]; MX_GOOD(-0.01)[cached: alt3.gmail-smtp-in.l.google.com]; NEURAL_SPAM_LONG(0.13)[0.127,0]; RCVD_IN_DNSWL_NONE(0.00)[37.23.255.162.list.dnswl.org : 127.0.10.0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:21624, ipnet:162.255.20.0/22, country:US]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Feb 2019 18:53:32 -0000 Yes you are right. If I kill rpc.lockd the two listening ports disappear. If I re-execute, then I can see two new unknown listening ports on other locations. For example, now I have 815/tcp4 and 874/tcp6 . So I believe I should ask the freebsd-hackers which rpc.lockd cannot be listed on the sockstat or lsof (which means that this could be a way for a malicious process to do exactly what lockd does and open ports without being identified). Thanks mdtancsa for your valuable tip. -- Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html