As root try to find the process using netstat -tanp | grep [port]
If you can't find it, is time to worry 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: > (I hope top-posting is acceptable on the list). > > I, too, am having "issues" with hidden ports, and have been trying > to figure out whether I'm at risk or not. So, this is a timely > and necessary topic of discussion, IMHO. > > I just ran "nc -l [portnumber]" on one of my machines, and got the > output "nc: Address already in use". Is it time for an oh, oh > moment? > > Dimitri > > > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: >> Hi Vicent, >> >> As developer of Unhide I will try to help you. >> >> First, to discover if it is a false positive or not, you can >> try to bind in this ports using necat >> >> nc -l 900 >> >> nc -l 895 >> >> If you can bind nc to this ports, probably could be a false >> positive so in the next mail you can send me (or to the list if >> you wish to make public the information) the output of >> >> ifconfig -a >> >> Thanks ! >> >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: >> > Hi >> > >> > running rkhunter 1.3.8 on Linux. >> > >> > I'm seeing warnings from unhide (version 20080519), eg >> > >> > Warning: Hidden ports found: >> > Port number: 45812 >> > Port number: 895 >> > Port number: 900 >> > >> > and wondering what to do about them. >> > Repeated runs of unhide-tcp show that only the last two ports >> > above are persistent. >> > >> > There's not a lot of information to go on in the output above >> > and the unhide manpages are ... terse. >> > >> > tcpdumping while running unhide doesn't show any activity on >> > the ports above. It's not even clear which interface unhide >> > is referring to - lo or eth0. I'm assuming eth0. >> > >> > Any advice would be helpful. >> > Cheers >> > Vince >> > >> > ------------------------------------------------------------- >> >----------------- Got Input? Slashdot Needs You. >> > Take our quick survey online. Come on, we don't ask for help >> > often. Plus, you'll get a chance to win $100 to spend on >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> > _______________________________________________ >> > Rkhunter-users mailing list >> > Rkhunter-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> >> --------------------------------------------------------------- >>--------------- Got Input? Slashdot Needs You. >> Take our quick survey online. Come on, we don't ask for help >> often. Plus, you'll get a chance to win $100 to spend on >> ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> _______________________________________________ >> Rkhunter-users mailing list >> Rkhunter-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
