Yago,

Thanks for your response.

Running lsof and fuser returned no output.  What does that mean?

Thanks.

Dimitri


On Wednesday 27 July 2011 7:01:31 pm Yago Jesus wrote:
> Try with Lsof:
>
> (as root)
>
> lsof -i :port
>
> For example, lsof -i :900
>
> Also try with fuser:
>
> fuser -n tcp port
>
> For example, fuser -n tcp 900
>
> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>:
> > (Since other poster has been top-posting, I'll finish out
> > here. But, I'm not in the habit of top-posting, myself)
> >
> > Yago,
> >
> > OK, I'm worried.  I sure wish I knew what process/program was
> > using the port, but I guess netstat would have revealed that.
> >
> > Now what?  Anything else I can try?
> >
> > Dimitri
> >
> > On Wednesday 27 July 2011 9:42:58 am you wrote:
> >> As root try to find the process using
> >>
> >> netstat -tanp | grep [port]
> >>
> >> If you can't find it, is time to worry
> >>
> >> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>:
> >> > (I hope top-posting is acceptable on the list).
> >> >
> >> > I, too, am having "issues" with hidden ports, and have
> >> > been trying to figure out whether I'm at risk or not.  So,
> >> > this is a timely and necessary topic of discussion, IMHO.
> >> >
> >> > I just ran "nc -l [portnumber]" on one of my machines, and
> >> > got the output "nc: Address already in use".  Is it time
> >> > for an oh, oh moment?
> >> >
> >> > Dimitri
> >> >
> >> > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote:
> >> >> Hi Vicent,
> >> >>
> >> >> As developer of Unhide I will try to help you.
> >> >>
> >> >> First, to discover if it is a false positive or not, you
> >> >> can try to bind in this ports using necat
> >> >>
> >> >> nc -l 900
> >> >>
> >> >> nc -l 895
> >> >>
> >> >> If you can bind nc to this ports, probably could be a
> >> >> false positive so in the next mail you can send me (or to
> >> >> the list if you wish to make public the information) the
> >> >> output  of
> >> >>
> >> >> ifconfig -a
> >> >>
> >> >> Thanks !
> >> >>
> >> >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>:
> >> >> > Hi
> >> >> >
> >> >> > running rkhunter 1.3.8 on Linux.
> >> >> >
> >> >> > I'm seeing warnings from unhide (version 20080519), eg
> >> >> >
> >> >> > Warning: Hidden ports found:
> >> >> >         Port number: 45812
> >> >> >         Port number: 895
> >> >> >         Port number: 900
> >> >> >
> >> >> > and wondering what to do about them.
> >> >> > Repeated runs of unhide-tcp show that only the last two
> >> >> > ports above are persistent.
> >> >> >
> >> >> > There's not a lot of information to go on in the output
> >> >> > above and the unhide manpages are ... terse.
> >> >> >
> >> >> > tcpdumping while running unhide doesn't show any
> >> >> > activity on the ports above. It's not even clear which
> >> >> > interface unhide is referring to - lo or eth0. I'm
> >> >> > assuming eth0.
> >> >> >
> >> >> > Any advice would be helpful.
> >> >> > Cheers
> >> >> > Vince
> >> >> >
> >> >> > -------------------------------------------------------
> >> >> >--- --- ----------------- Got Input?   Slashdot Needs
> >> >> > You. Take our quick survey online.  Come on, we don't
> >> >> > ask for help often. Plus, you'll get a chance to win
> >> >> > $100 to spend on ThinkGeek.
> >> >> > http://p.sf.net/sfu/slashdot-survey
> >> >> > _______________________________________________
> >> >> > Rkhunter-users mailing list
> >> >> > Rkhunter-users@lists.sourceforge.net
> >> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-u
> >> >> >ser s
> >> >>
> >> >> ---------------------------------------------------------
> >> >>--- --- --------------- Got Input?   Slashdot Needs You.
> >> >> Take our quick survey online.  Come on, we don't ask for
> >> >> help often. Plus, you'll get a chance to win $100 to
> >> >> spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey
> >> >> _______________________________________________
> >> >> Rkhunter-users mailing list
> >> >> Rkhunter-users@lists.sourceforge.net
> >> >> https://lists.sourceforge.net/lists/listinfo/rkhunter-use
> >> >>rs
> >> >
> >> > --
> >> > This message has been scanned for viruses and
> >> > dangerous content by MailScanner, and is
> >> > believed to be clean.
> >> >
> >> >
> >> > ----------------------------------------------------------
> >> >--- ----------------- Got Input?   Slashdot Needs You. Take
> >> > our quick survey online.  Come on, we don't ask for help
> >> > often. Plus, you'll get a chance to win $100 to spend on
> >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey
> >> > _______________________________________________
> >> > Rkhunter-users mailing list
> >> > Rkhunter-users@lists.sourceforge.net
> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-user
> >> >s
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
> > -------------------------------------------------------------
> >----------------- Got Input?   Slashdot Needs You.
> > Take our quick survey online.  Come on, we don't ask for help
> > often. Plus, you'll get a chance to win $100 to spend on
> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey
> > _______________________________________________
> > Rkhunter-users mailing list
> > Rkhunter-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


------------------------------------------------------------------------------
Got Input?   Slashdot Needs You.
Take our quick survey online.  Come on, we don't ask for help often.
Plus, you'll get a chance to win $100 to spend on ThinkGeek.
http://p.sf.net/sfu/slashdot-survey
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to