(Since other poster has been top-posting, I'll finish out here. But, I'm not in the habit of top-posting, myself)
Yago, OK, I'm worried. I sure wish I knew what process/program was using the port, but I guess netstat would have revealed that. Now what? Anything else I can try? Dimitri On Wednesday 27 July 2011 9:42:58 am you wrote: > As root try to find the process using > > netstat -tanp | grep [port] > > If you can't find it, is time to worry > > 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: > > (I hope top-posting is acceptable on the list). > > > > I, too, am having "issues" with hidden ports, and have been > > trying to figure out whether I'm at risk or not. So, this is > > a timely and necessary topic of discussion, IMHO. > > > > I just ran "nc -l [portnumber]" on one of my machines, and > > got the output "nc: Address already in use". Is it time for > > an oh, oh moment? > > > > Dimitri > > > > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: > >> Hi Vicent, > >> > >> As developer of Unhide I will try to help you. > >> > >> First, to discover if it is a false positive or not, you can > >> try to bind in this ports using necat > >> > >> nc -l 900 > >> > >> nc -l 895 > >> > >> If you can bind nc to this ports, probably could be a false > >> positive so in the next mail you can send me (or to the list > >> if you wish to make public the information) the output of > >> > >> ifconfig -a > >> > >> Thanks ! > >> > >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: > >> > Hi > >> > > >> > running rkhunter 1.3.8 on Linux. > >> > > >> > I'm seeing warnings from unhide (version 20080519), eg > >> > > >> > Warning: Hidden ports found: > >> > Port number: 45812 > >> > Port number: 895 > >> > Port number: 900 > >> > > >> > and wondering what to do about them. > >> > Repeated runs of unhide-tcp show that only the last two > >> > ports above are persistent. > >> > > >> > There's not a lot of information to go on in the output > >> > above and the unhide manpages are ... terse. > >> > > >> > tcpdumping while running unhide doesn't show any activity > >> > on the ports above. It's not even clear which interface > >> > unhide is referring to - lo or eth0. I'm assuming eth0. > >> > > >> > Any advice would be helpful. > >> > Cheers > >> > Vince > >> > > >> > ---------------------------------------------------------- > >> >--- ----------------- Got Input? Slashdot Needs You. Take > >> > our quick survey online. Come on, we don't ask for help > >> > often. Plus, you'll get a chance to win $100 to spend on > >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > >> > _______________________________________________ > >> > Rkhunter-users mailing list > >> > Rkhunter-users@lists.sourceforge.net > >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-user > >> >s > >> > >> ------------------------------------------------------------ > >>--- --------------- Got Input? Slashdot Needs You. > >> Take our quick survey online. Come on, we don't ask for > >> help often. Plus, you'll get a chance to win $100 to spend > >> on ThinkGeek. http://p.sf.net/sfu/slashdot-survey > >> _______________________________________________ > >> Rkhunter-users mailing list > >> Rkhunter-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > ------------------------------------------------------------- > >----------------- Got Input? Slashdot Needs You. > > Take our quick survey online. Come on, we don't ask for help > > often. Plus, you'll get a chance to win $100 to spend on > > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > > _______________________________________________ > > Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
