Try with Lsof: (as root)
lsof -i :port For example, lsof -i :900 Also try with fuser: fuser -n tcp port For example, fuser -n tcp 900 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: > (Since other poster has been top-posting, I'll finish out here. > But, I'm not in the habit of top-posting, myself) > > Yago, > > OK, I'm worried. I sure wish I knew what process/program was > using the port, but I guess netstat would have revealed that. > > Now what? Anything else I can try? > > Dimitri > > > On Wednesday 27 July 2011 9:42:58 am you wrote: >> As root try to find the process using >> >> netstat -tanp | grep [port] >> >> If you can't find it, is time to worry >> >> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: >> > (I hope top-posting is acceptable on the list). >> > >> > I, too, am having "issues" with hidden ports, and have been >> > trying to figure out whether I'm at risk or not. So, this is >> > a timely and necessary topic of discussion, IMHO. >> > >> > I just ran "nc -l [portnumber]" on one of my machines, and >> > got the output "nc: Address already in use". Is it time for >> > an oh, oh moment? >> > >> > Dimitri >> > >> > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: >> >> Hi Vicent, >> >> >> >> As developer of Unhide I will try to help you. >> >> >> >> First, to discover if it is a false positive or not, you can >> >> try to bind in this ports using necat >> >> >> >> nc -l 900 >> >> >> >> nc -l 895 >> >> >> >> If you can bind nc to this ports, probably could be a false >> >> positive so in the next mail you can send me (or to the list >> >> if you wish to make public the information) the output of >> >> >> >> ifconfig -a >> >> >> >> Thanks ! >> >> >> >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: >> >> > Hi >> >> > >> >> > running rkhunter 1.3.8 on Linux. >> >> > >> >> > I'm seeing warnings from unhide (version 20080519), eg >> >> > >> >> > Warning: Hidden ports found: >> >> > Port number: 45812 >> >> > Port number: 895 >> >> > Port number: 900 >> >> > >> >> > and wondering what to do about them. >> >> > Repeated runs of unhide-tcp show that only the last two >> >> > ports above are persistent. >> >> > >> >> > There's not a lot of information to go on in the output >> >> > above and the unhide manpages are ... terse. >> >> > >> >> > tcpdumping while running unhide doesn't show any activity >> >> > on the ports above. It's not even clear which interface >> >> > unhide is referring to - lo or eth0. I'm assuming eth0. >> >> > >> >> > Any advice would be helpful. >> >> > Cheers >> >> > Vince >> >> > >> >> > ---------------------------------------------------------- >> >> >--- ----------------- Got Input? Slashdot Needs You. Take >> >> > our quick survey online. Come on, we don't ask for help >> >> > often. Plus, you'll get a chance to win $100 to spend on >> >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> >> > _______________________________________________ >> >> > Rkhunter-users mailing list >> >> > Rkhunter-users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-user >> >> >s >> >> >> >> ------------------------------------------------------------ >> >>--- --------------- Got Input? Slashdot Needs You. >> >> Take our quick survey online. Come on, we don't ask for >> >> help often. Plus, you'll get a chance to win $100 to spend >> >> on ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> >> _______________________________________________ >> >> Rkhunter-users mailing list >> >> Rkhunter-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/rkhunter-users >> > >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> > >> > >> > ------------------------------------------------------------- >> >----------------- Got Input? Slashdot Needs You. >> > Take our quick survey online. Come on, we don't ask for help >> > often. Plus, you'll get a chance to win $100 to spend on >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> > _______________________________________________ >> > Rkhunter-users mailing list >> > Rkhunter-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
