Dear,
I have a strange problem. I have located on my Freebsd machine a listening port 600/tcp6 which cannot be traced back to a process.
I have tried, to locate the process that has opened this port, but as you see in the attached code, nothing happened. I believe that this port has been opened by a kernel module. I also attach the kldstat. Is this port opened by a legit kernel module (and if yes, which?). Otherwise is it a rootkit and my machine has been somehow hacked (it is used for nginx and rtorrent and it is located on a fast line). How can I trace the offending program that listens on this port?
I haven't reboot the system, because I would like to investigate it further. If no suggestions are posted for 1 week, I will reboot and see if this port is opened again.
I have a strange problem. I have located on my Freebsd machine a listening port 600/tcp6 which cannot be traced back to a process.
I have tried, to locate the process that has opened this port, but as you see in the attached code, nothing happened. I believe that this port has been opened by a kernel module. I also attach the kldstat. Is this port opened by a legit kernel module (and if yes, which?). Otherwise is it a rootkit and my machine has been somehow hacked (it is used for nginx and rtorrent and it is located on a fast line). How can I trace the offending program that listens on this port?
I haven't reboot the system, because I would like to investigate it further. If no suggestions are posted for 1 week, I will reboot and see if this port is opened again.
Code:
[root@xxx ~]# netstat -an |grep 600
tcp6 0 0 *.600 *.* LISTEN
[root@xxx ~]# sockstat |grep :600
? ? ? ? tcp6 *:600 *:*
[root@xxx ~]# lsof -n -s -P | grep ':600 '
lsof: WARNING: compiled for FreeBSD release 11.2-RELEASE-p7; this is 11.2-RELEASE-p8.
[root@xxx ~]# uname -a
FreeBSD xxxxx 11.2-RELEASE-p8 FreeBSD 11.2-RELEASE-p8 #0: Tue Jan 8 21:35:12 UTC 2019 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64
[root@xxx ~]# kldstat
Id Refs Address Size Name
1 37 0xffffffff80200000 20647c8 kernel
2 1 0xffffffff82266000 2d40 coretemp.ko
3 1 0xffffffff82421000 6fc4 tmpfs.ko
4 1 0xffffffff82428000 41f0 linprocfs.ko
5 2 0xffffffff8242d000 2d28 linux_common.ko
6 1 0xffffffff82430000 195c linsysfs.ko
7 4 0xffffffff82432000 20198 ipfw.ko
8 1 0xffffffff82453000 24a0 if_tap.ko
9 1 0xffffffff82456000 107a0 dummynet.ko
10 1 0xffffffff82467000 13f0 ipdivert.ko
11 1 0xffffffff82469000 21b0 ipfw_nat.ko
12 1 0xffffffff8246c000 a4f2 libalias.ko
#connecting to the port produces no input...
[root@xxx ~]# telnet -6 ::1 600
Trying ::1...
Connected to localhost.
Escape character is '^]'.
help
?
test
...
Last edited by a moderator: