extra open ports in rkhunter

[Carl Johnson]

Chuck Swiger <cswiger at mac.com> writes:

> Hi--
>
> On Sep 18, 2010, at 4:27 PM, Carl Johnson wrote:
>> The following are the ports if anybody has any ideas, but I would also like to know how to trace them down myself:
>> 
>> tcp4       0      0 *.876                  *.*                    LISTEN
>> tcp6       0      0 *.921                  *.*                    LISTEN
>> udp4       0      0 *.608                  *.*
>> udp6       0      0 *.952                  *.*
>> udp6       0      0 *.804                  *.*
>
> Try:
>
>   lsof -i tcp:876
>
> ...and so forth for the other ports; this will give you the process ID of whatever is holding that socket.

lsof -i doesn't show any of those five ports.  It seems to show the same
ones as sockstat.  I should have mentioned previously that I verified
the tcp ports were open with nmap, but that wouldn't tell me what they
were.  I haven't figured out how to even verify the udp ports are
connected or open.  I also should have mentioned that I don't have any
reason to think that my system is infected, but I just wanted to
understand the difference.

Thanks for the reply.  I had completely forgotten about lsof.

-- 
Carl Johnson		carlj at peak.org