Dear,
I have a strange problem. I have located on my Freebsd machine a listening port 600/tcp6 which cannot be traced back to a process.
I have tried, to locate the process that has opened this port, but as you see in the attached code, nothing happened. I believe that this port has been opened by a kernel module. I also attach the kldstat. Is this port opened by a legit kernel module (and if yes, which?). Otherwise is it a rootkit and my machine has been somehow hacked (it is used for nginx and rtorrent and it is located on a fast line). How can I trace the offending program that listens on this port?
I haven't reboot the system, because I would like to investigate it further. If no suggestions are posted for 1 week, I will reboot and see if this port is opened again.
I have a strange problem. I have located on my Freebsd machine a listening port 600/tcp6 which cannot be traced back to a process.
I have tried, to locate the process that has opened this port, but as you see in the attached code, nothing happened. I believe that this port has been opened by a kernel module. I also attach the kldstat. Is this port opened by a legit kernel module (and if yes, which?). Otherwise is it a rootkit and my machine has been somehow hacked (it is used for nginx and rtorrent and it is located on a fast line). How can I trace the offending program that listens on this port?
I haven't reboot the system, because I would like to investigate it further. If no suggestions are posted for 1 week, I will reboot and see if this port is opened again.
Code:
[root@xxx ~]# netstat -an |grep 600 tcp6 0 0 *.600 *.* LISTEN [root@xxx ~]# sockstat |grep :600 ? ? ? ? tcp6 *:600 *:* [root@xxx ~]# lsof -n -s -P | grep ':600 ' lsof: WARNING: compiled for FreeBSD release 11.2-RELEASE-p7; this is 11.2-RELEASE-p8. [root@xxx ~]# uname -a FreeBSD xxxxx 11.2-RELEASE-p8 FreeBSD 11.2-RELEASE-p8 #0: Tue Jan 8 21:35:12 UTC 2019 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 [root@xxx ~]# kldstat Id Refs Address Size Name 1 37 0xffffffff80200000 20647c8 kernel 2 1 0xffffffff82266000 2d40 coretemp.ko 3 1 0xffffffff82421000 6fc4 tmpfs.ko 4 1 0xffffffff82428000 41f0 linprocfs.ko 5 2 0xffffffff8242d000 2d28 linux_common.ko 6 1 0xffffffff82430000 195c linsysfs.ko 7 4 0xffffffff82432000 20198 ipfw.ko 8 1 0xffffffff82453000 24a0 if_tap.ko 9 1 0xffffffff82456000 107a0 dummynet.ko 10 1 0xffffffff82467000 13f0 ipdivert.ko 11 1 0xffffffff82469000 21b0 ipfw_nat.ko 12 1 0xffffffff8246c000 a4f2 libalias.ko #connecting to the port produces no input... [root@xxx ~]# telnet -6 ::1 600 Trying ::1... Connected to localhost. Escape character is '^]'. help ? test ...
Last edited by a moderator: