Perhaps in your haste, you missed something. If I run netstat -anpe as a user I get this specific message and the PID column is populated with only a "-" for all entries, just like you showed.
I.E. netstat -anpe |grep udp (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) udp 0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 - see the message? However, running "sudo netstat -anpe |grep udp" actually displays the PID/Binary udp 0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 3334/cupsd The Process ID is what you are supposed to use to match a socket to the binary that opened it. **Try "sudo netstat -anpeev" You can also try to fine the inode. Though, it is a large number and you may not find it on disk. **Also, try "find / -inum 5950269 -print" You might also try starting a packet capture and removing the firewall. After a bit kill the packet capture and see what Wireshark tells you. **"sudo tcpdump -i eth0? -nASs0 -c 500 -w `hostname`-`date +%F-%H% M`.pcap port 10001" This will automatically stop after 500 packets to/from port 10001. On Wed, 2014-01-22 at 13:20 +0100, Nico Angenon wrote: > Hello, > > i think i’ve been hacked on one of my boxes... > > I try to find with process bind a specific port : > > # netstat -anpe |grep udp > gives me > udp 0 0 0.0.0.0:10001 0.0.0.0:* > 0 5950269 - > > > but > # lsof |grep 10001 > doesn’t show me anything > > i’ve tried to cat /proc/*/cmdline... no 10001 found > no 10001 in ‘ps aux’ > no 10001 in ‘rpcinfo –p’ > > any idea ? > > Thanks > Nico
