Hi, There are two posibilities, your problem can be a kernel bug, sometimes when a program release a socket because its ends, the kernel doesn't release the port, you can reboot your box and see if the problem persists.
If the problem persists probably it seems to be a rootkit in your kernel. In this scenario, only a deep forensics analysis could report evidences (make a copy of the HD and analice it with tools like autopsy) 2011/7/28 Dimitri Yioulos <dyiou...@firstbhph.com>: > Yago, > > Thanks for your response. > > Running lsof and fuser returned no output. What does that mean? > > Thanks. > > Dimitri > > > On Wednesday 27 July 2011 7:01:31 pm Yago Jesus wrote: >> Try with Lsof: >> >> (as root) >> >> lsof -i :port >> >> For example, lsof -i :900 >> >> Also try with fuser: >> >> fuser -n tcp port >> >> For example, fuser -n tcp 900 >> >> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: >> > (Since other poster has been top-posting, I'll finish out >> > here. But, I'm not in the habit of top-posting, myself) >> > >> > Yago, >> > >> > OK, I'm worried. I sure wish I knew what process/program was >> > using the port, but I guess netstat would have revealed that. >> > >> > Now what? Anything else I can try? >> > >> > Dimitri >> > >> > On Wednesday 27 July 2011 9:42:58 am you wrote: >> >> As root try to find the process using >> >> >> >> netstat -tanp | grep [port] >> >> >> >> If you can't find it, is time to worry >> >> >> >> 2011/7/27 Dimitri Yioulos <dyiou...@firstbhph.com>: >> >> > (I hope top-posting is acceptable on the list). >> >> > >> >> > I, too, am having "issues" with hidden ports, and have >> >> > been trying to figure out whether I'm at risk or not. So, >> >> > this is a timely and necessary topic of discussion, IMHO. >> >> > >> >> > I just ran "nc -l [portnumber]" on one of my machines, and >> >> > got the output "nc: Address already in use". Is it time >> >> > for an oh, oh moment? >> >> > >> >> > Dimitri >> >> > >> >> > On Tuesday 26 July 2011 8:04:40 pm Yago Jesus wrote: >> >> >> Hi Vicent, >> >> >> >> >> >> As developer of Unhide I will try to help you. >> >> >> >> >> >> First, to discover if it is a false positive or not, you >> >> >> can try to bind in this ports using necat >> >> >> >> >> >> nc -l 900 >> >> >> >> >> >> nc -l 895 >> >> >> >> >> >> If you can bind nc to this ports, probably could be a >> >> >> false positive so in the next mail you can send me (or to >> >> >> the list if you wish to make public the information) the >> >> >> output of >> >> >> >> >> >> ifconfig -a >> >> >> >> >> >> Thanks ! >> >> >> >> >> >> 2011/7/27 Vincent McIntyre <vincent.mcint...@gmail.com>: >> >> >> > Hi >> >> >> > >> >> >> > running rkhunter 1.3.8 on Linux. >> >> >> > >> >> >> > I'm seeing warnings from unhide (version 20080519), eg >> >> >> > >> >> >> > Warning: Hidden ports found: >> >> >> > Port number: 45812 >> >> >> > Port number: 895 >> >> >> > Port number: 900 >> >> >> > >> >> >> > and wondering what to do about them. >> >> >> > Repeated runs of unhide-tcp show that only the last two >> >> >> > ports above are persistent. >> >> >> > >> >> >> > There's not a lot of information to go on in the output >> >> >> > above and the unhide manpages are ... terse. >> >> >> > >> >> >> > tcpdumping while running unhide doesn't show any >> >> >> > activity on the ports above. It's not even clear which >> >> >> > interface unhide is referring to - lo or eth0. I'm >> >> >> > assuming eth0. >> >> >> > >> >> >> > Any advice would be helpful. >> >> >> > Cheers >> >> >> > Vince >> >> >> > >> >> >> > ------------------------------------------------------- >> >> >> >--- --- ----------------- Got Input? Slashdot Needs >> >> >> > You. Take our quick survey online. Come on, we don't >> >> >> > ask for help often. Plus, you'll get a chance to win >> >> >> > $100 to spend on ThinkGeek. >> >> >> > http://p.sf.net/sfu/slashdot-survey >> >> >> > _______________________________________________ >> >> >> > Rkhunter-users mailing list >> >> >> > Rkhunter-users@lists.sourceforge.net >> >> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-u >> >> >> >ser s >> >> >> >> >> >> --------------------------------------------------------- >> >> >>--- --- --------------- Got Input? Slashdot Needs You. >> >> >> Take our quick survey online. Come on, we don't ask for >> >> >> help often. Plus, you'll get a chance to win $100 to >> >> >> spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> >> >> _______________________________________________ >> >> >> Rkhunter-users mailing list >> >> >> Rkhunter-users@lists.sourceforge.net >> >> >> https://lists.sourceforge.net/lists/listinfo/rkhunter-use >> >> >>rs >> >> > >> >> > -- >> >> > This message has been scanned for viruses and >> >> > dangerous content by MailScanner, and is >> >> > believed to be clean. >> >> > >> >> > >> >> > ---------------------------------------------------------- >> >> >--- ----------------- Got Input? Slashdot Needs You. Take >> >> > our quick survey online. Come on, we don't ask for help >> >> > often. Plus, you'll get a chance to win $100 to spend on >> >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> >> > _______________________________________________ >> >> > Rkhunter-users mailing list >> >> > Rkhunter-users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-user >> >> >s >> > >> > -- >> > This message has been scanned for viruses and >> > dangerous content by MailScanner, and is >> > believed to be clean. >> > >> > >> > ------------------------------------------------------------- >> >----------------- Got Input? Slashdot Needs You. >> > Take our quick survey online. Come on, we don't ask for help >> > often. Plus, you'll get a chance to win $100 to spend on >> > ThinkGeek. http://p.sf.net/sfu/slashdot-survey >> > _______________________________________________ >> > Rkhunter-users mailing list >> > Rkhunter-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > ------------------------------------------------------------------------------ > Got Input? Slashdot Needs You. > Take our quick survey online. Come on, we don't ask for help often. > Plus, you'll get a chance to win $100 to spend on ThinkGeek. > http://p.sf.net/sfu/slashdot-survey > _______________________________________________ > Rkhunter-users mailing list > Rkhunter-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/rkhunter-users > ------------------------------------------------------------------------------ Got Input? Slashdot Needs You. Take our quick survey online. Come on, we don't ask for help often. Plus, you'll get a chance to win $100 to spend on ThinkGeek. http://p.sf.net/sfu/slashdot-survey _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
