Yago, Thanks for your response.
Running lsof and fuser returned no output. What does that mean? Thanks. Dimitri On Wednesday 27 July 2011 7:01:31 pm Yago Jesus wrote: > Try with Lsof: > > (as root) > > lsof -i :port > > For example, lsof -i :900 > > Also try with fuser: > > fuser -n tcp port > > For example, fuser -n tcp 900 > > 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: > > (Since other poster has been top-posting, I'll finish out > > here. But, I'm not in the habit of top-posting, myself) > > > > Yago, > > > > OK, I'm worried. I sure wish I knew what process/program was > > using the port, but I guess netstat would have revealed that. > > > > Now what? Anything else I can try? > > > > Dimitri > > > > On Wednesday 27 July 2011 9:42:58 am you wrote: > >> As root try to find the process using > >> > >> netstat -tanp | grep [port] > >> > >> If you can't find it, is time to worry > >> > >> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: > >> > (I hope top-posting is acceptable on the list). > >> > > >> > I, too, am having "issues" with hidden ports, and have > >> > been trying to figure out whether I'm at risk or not. So, > >> > this is a timely and necessary topic of discussion, IMHO. > >> > > >> > I just ran "nc -l [portnumber]" on one of my machines, and > >> > got the output "nc: Address already in use". Is it time > >> > for an oh, oh moment? > >> > > >> > Dimitri > >> > > >> > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: > >> >> Hi Vicent, > >> >> > >> >> As developer of Unhide I will try to help you. > >> >> > >> >> First, to discover if it is a false positive or not, you > >> >> can try to bind in this ports using necat > >> >> > >> >> nc -l 900 > >> >> > >> >> nc -l 895 > >> >> > >> >> If you can bind nc to this ports, probably could be a > >> >> false positive so in the next mail you can send me (or to > >> >> the list if you wish to make public the information) the > >> >> output of > >> >> > >> >> ifconfig -a > >> >> > >> >> Thanks ! > >> >> > >> >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: > >> >> > Hi > >> >> > > >> >> > running rkhunter 1.3.8 on Linux. > >> >> > > >> >> > I'm seeing warnings from unhide (version 20080519), eg > >> >> > > >> >> > Warning: Hidden ports found: > >> >> > Port number: 45812 > >> >> > Port number: 895 > >> >> > Port number: 900 > >> >> > > >> >> > and wondering what to do about them. > >> >> > Repeated runs of unhide-tcp show that only the last two > >> >> > ports above are persistent. > >> >> > > >> >> > There's not a lot of information to go on in the output > >> >> > above and the unhide manpages are ... terse. > >> >> > > >> >> > tcpdumping while running unhide doesn't show any > >> >> > activity on the ports above. It's not even clear which > >> >> > interface unhide is referring to - lo or eth0. I'm > >> >> > assuming eth0. > >> >> > > >> >> > Any advice would be helpful. > >> >> > Cheers > >> >> > Vince > >> >> > > >> >> > ------------------------------------------------------- > >> >> >--- --- ----------------- Got Input? Slashdot Needs > >> >> > You. Take our quick survey online. Come on, we don't > >> >> > ask for help often. Plus, you'll get a chance to win > >> >> > $100 to spend on ThinkGeek. > >> >> > http://p.sf.net/sfu/slashdot-survey > >> >> > _______________________________________________ > >> >> > Rkhunter-users mailing list > >> >> > Rkhunter-users@lists.sourceforge.net > >> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-u > >> >> >ser s > >> >> > >> >> --------------------------------------------------------- > >> >>--- --- --------------- Got Input? Slashdot Needs You. > >> >> Take our quick survey online. Come on, we don't ask for > >> >> help often. Plus, you'll get a chance to win $100 to > >> >> spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey > >> >> _______________________________________________ > >> >> Rkhunter-users mailing list > >> >> Rkhunter-users@lists.sourceforge.net > >> >> https://lists.sourceforge.net/lists/listinfo/rkhunter-use > >> >>rs > >> > > >> > -- > >> > This message has been scanned for viruses and > >> > dangerous content by MailScanner, and is > >> > believed to be clean. > >> > > >> > > >> > ---------------------------------------------------------- > >> >--- ----------------- Got Input? Slashdot Needs You. Take > >> > our quick survey online. Come on, we don't ask for help > >> > often. Plus, you'll get a chance to win $100 to spend on > >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > >> > _______________________________________________ > >> > Rkhunter-users mailing list > >> > Rkhunter-users@lists.sourceforge.net > >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-user > >> >s > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > > > > ------------------------------------------------------------- > >----------------- Got Input? Slashdot Needs You. > > Take our quick survey online. Come on, we don't ask for help > > often. Plus, you'll get a chance to win $100 to spend on > > ThinkGeek. http://p.sf.net/sfu/slashdot-survey > > _______________________________________________ > > Rkhunter-users mailing list > > Rkhunter-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/rkhunter-users -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
