From owner-freebsd-security Sat Sep 4 13: 1:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.palmerharvey.co.uk (mail.palmerharvey.co.uk [62.172.109.58]) by hub.freebsd.org (Postfix) with ESMTP id 17B6514EED for ; Sat, 4 Sep 1999 13:01:39 -0700 (PDT) (envelope-from Dom.Mitchell@palmerharvey.co.uk) Received: from ho-nt-01.pandhm.co.uk (unverified) by mail.palmerharvey.co.uk (Content Technologies SMTPRS 4.0.1) with ESMTP id ; Sat, 4 Sep 1999 20:59:38 +0100 Received: from voodoo.pandhm.co.uk (VOODOO [10.100.35.12]) by ho-nt-01.pandhm.co.uk with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2448.0) id RWF23YZQ; Sat, 4 Sep 1999 20:59:07 +0100 Received: from dom by voodoo.pandhm.co.uk with local (Exim 2.10 #1) id 11NLyp-000JBR-00; Sat, 4 Sep 1999 21:00:07 +0100 Date: Sat, 4 Sep 1999 21:00:07 +0100 To: Alexey Zelkin Cc: "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Tracing open ports on FreeBSD Message-ID: <19990904210006.A73676@voodoo.pandhm.co.uk> References: <19990904112855.43007.qmail@hotmail.com> <19990904150006.A2526@scorpion.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i In-Reply-To: <19990904150006.A2526@scorpion.crimea.ua>; from Alexey Zelkin on Sat, Sep 04, 1999 at 03:00:06PM +0400 From: Dominic Mitchell Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Sep 04, 1999 at 03:00:06PM +0400, Alexey Zelkin wrote: > On Sat, Sep 04, 1999 at 04:28:53AM -0700, N. N.M wrote: > > > 1) I realized that the TCP ports of 6010,6011,6012 and 6013 are openly > > listening on my FreeBSD box. I don't know how this has happened, as they > > were not open before. They are related to X11 as far as I know. But I had > > already disabled XDM in /etc/ttys file. Could anybody tell me how I can > > disable this stuff? Or how they could get opened and listening? Most likely an ssh connection... ssh has numbered X servers. > > 2) This is some time that two UDP ports have got opened as well. Again, I > > don't have any idea on how they have got enabled. The ports are 1352 and > > 2699. Generally, how I can trace when a port gets suddenly enabled? > > I can propose idea how to understand which process used this port. > > for example -- how to find process which opened port 80 (aka http) If you're running a fairly recent FreeBSD (it was in 3.2), the sockstat utility will do this for you. -- Dom Mitchell -- Palmer & Harvey McLane -- Unix Systems Administrator "Ordinary folks who don't understand computers don't deserve to be mocked. Ordinary people who want to use their computers but refuse to learn anything about them do." -- slashdot comment ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message