Cannot identify process of listening port 600/tcp6

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot identify process of listening port 600/tcp6

BBlister
Dear,

I am trying to identify what process is listening on port 600/tcp6.

I have tried:
# lsof -n -P | grep :600
#
--nothing

# sockstat -a | grep :600
?        ?          ?     ?  tcp6   *:600                 *:*


# netstat -an | grep 600
tcp6       0      0 *.600                  *.*                    LISTEN


I can connect to this port, but I receive no output to my commands:
# telnet ::1 600
Trying ::1...
Connected to localhost.
Escape character is '^]'.
help
?
test


My uname:
# uname -a
FreeBSD XXX 11.2-RELEASE-p8 FreeBSD 11.2-RELEASE-p8 #0: Tue Jan  8 21:35:12
UTC 2019     [hidden email]:/usr/obj/usr/src/sys/GENERIC
amd64

# kldstat
Id Refs Address            Size     Name
 1   37 0xffffffff80200000 20647c8  kernel
 2    1 0xffffffff82266000 2d40     coretemp.ko
 3    1 0xffffffff82421000 6fc4     tmpfs.ko
 4    1 0xffffffff82428000 41f0     linprocfs.ko
 5    2 0xffffffff8242d000 2d28     linux_common.ko
 6    1 0xffffffff82430000 195c     linsysfs.ko
 7    4 0xffffffff82432000 20198    ipfw.ko
 8    1 0xffffffff82453000 24a0     if_tap.ko
 9    1 0xffffffff82456000 107a0    dummynet.ko
10    1 0xffffffff82467000 13f0     ipdivert.ko
11    1 0xffffffff82469000 21b0     ipfw_nat.ko
12    1 0xffffffff8246c000 a4f2     libalias.ko



Perhaps this is a kernel module, but which? Is this a strange rootkit? I did
not reboot the machine, because I would like to locate the offending process
first. This box runs nginx and rtorrent.

Thanks!



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

Polytropon
On Sat, 16 Feb 2019 10:43:20 -0700 (MST), BBlister wrote:
> I am trying to identify what process is listening on port 600/tcp6.

Judging from /etc/services, this could be an IPC (inter-process
communication) server, and IPC usually is a matter of the kernel...


--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister

Is there any way that I can verify and locate the server? And not by
removing kernel modules and watching if the open port 600 will disappear,
but with a program similar to lsof for kernel services...



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

Michał Jędrzejczak-3
Hi

sockstat ?

MJ

> On 16 Feb 2019, at 19:28, BBlister <[hidden email]> wrote:
>
>
> Is there any way that I can verify and locate the server? And not by
> removing kernel modules and watching if the open port 600 will disappear,
> but with a program similar to lsof for kernel services...
>
>
>
> --
> Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
> _______________________________________________
> [hidden email] mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "[hidden email]"

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister
 
I have already tried sockstat (as well as lsof) as I have displayed it in my
original message.....



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister
From FreeBSD Forums
https://forums.freebsd.org/threads/listening-port-600-tcp6-cannot-be-mapped-to-process-am-i-hacked.69624/#post-417787

> You could make the firewall log activity on that port.
> Also, you can use tcpdump to analyze the content of the datagrams.
> If I recall correctly, nmap has a service discovery mode and it can try to
> detect what exactly is listening on > the port.
>

My reply:
I have executed tcpdump for 24 hours but I couln't receive/send any packet
destined for that port. This is a passive way of detecting what is
happening, and involves reverse engineering, because the datagram may be
encrypted.

It is difficult to wait for a packet to arrive or depart on port 600 (maybe
it is trojan waiting to be activated?).

I find it strange that FreeBSD does not have a tool to detect kernel
listening sockets and the only way to detect what is happening it just by
sniffing and trying to figure out the datagrams.


What should I try next?



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

Doug Hardie
> On 17 February 2019, at 22:56, BBlister <[hidden email]> wrote:
>
> From FreeBSD Forums
> https://forums.freebsd.org/threads/listening-port-600-tcp6-cannot-be-mapped-to-process-am-i-hacked.69624/#post-417787
>
>> You could make the firewall log activity on that port.
>> Also, you can use tcpdump to analyze the content of the datagrams.
>> If I recall correctly, nmap has a service discovery mode and it can try to
>> detect what exactly is listening on > the port.
>>
>
> My reply:
> I have executed tcpdump for 24 hours but I couln't receive/send any packet
> destined for that port. This is a passive way of detecting what is
> happening, and involves reverse engineering, because the datagram may be
> encrypted.
>
> It is difficult to wait for a packet to arrive or depart on port 600 (maybe
> it is trojan waiting to be activated?).
>
> I find it strange that FreeBSD does not have a tool to detect kernel
> listening sockets and the only way to detect what is happening it just by
> sniffing and trying to figure out the datagrams.
>
>
> What should I try next?

Possibly https://www.linuxquestions.org/questions/linux-security-4/nessus-security-notes-about-ipcserver-port-600-a-339908/ might provide some helpful information.

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister


On the referenced URL, they are suggesting to use netstat -anp , which is
not applicable to FreeBSD (parameter -p is not valid). Also, they suggesting
to use ps.


My process listing (only the executables, using
ps axuw | awk '{print $11}' | sort |uniq:

-csh
[audit]
[bufdaemon]
[bufspacedaemon]
[cam]
[crypto
[crypto]
[geom]
[idle]
[intr]
[kernel]
[pagedaemon]
[pagezero]
[rand_harvestq]
[sctp_iterator]
[soaiod1]
[soaiod2]
[soaiod3]
[soaiod4]
[syncer]
[usb]
[vmdaemon]
[vnlru]
/sbin/devd
/sbin/init
/sbin/natd
/usr/libexec/getty
/usr/local/bin/3proxy
/usr/local/bin/perl
/usr/local/bin/php-cgi
/usr/local/bin/portsentry
/usr/local/bin/python2.7
/usr/local/bin/rtorrent
/usr/local/bin/screen
/usr/local/sbin/arpwatch
/usr/local/sbin/fcgiwrap
/usr/local/sbin/nmbd
/usr/local/sbin/openvpn
/usr/local/sbin/smartd
/usr/local/sbin/smbd
/usr/local/sbin/winbindd
/usr/sbin/blacklistd
/usr/sbin/cron
/usr/sbin/inetd
/usr/sbin/mountd
/usr/sbin/rpc.lockd
/usr/sbin/rpc.statd
/usr/sbin/rpcbind
/usr/sbin/rtsold
/usr/sbin/syslogd
/usr/sbin/unbound
adjkerntz
awk
bash
daemon:
diskcheckd:
nfscbd:
nfsd:
nginx:
ps
sendmail:
sort
sshd:
sudo
tcpdump
tcpdump:
uniq



My kldstat
 1   37 0xffffffff80200000 20647c8  kernel
 2    1 0xffffffff82266000 2d40     coretemp.ko
 3    1 0xffffffff82421000 6fc4     tmpfs.ko
 4    1 0xffffffff82428000 41f0     linprocfs.ko
 5    2 0xffffffff8242d000 2d28     linux_common.ko
 6    1 0xffffffff82430000 195c     linsysfs.ko
 7    4 0xffffffff82432000 20198    ipfw.ko
 8    1 0xffffffff82453000 24a0     if_tap.ko
 9    1 0xffffffff82456000 107a0    dummynet.ko
10    1 0xffffffff82467000 13f0     ipdivert.ko
11    1 0xffffffff82469000 21b0     ipfw_nat.ko
12    1 0xffffffff8246c000 a4f2     libalias.ko



and for ICPS I see that everything is empty:

# ipcs
Message Queues:
T           ID          KEY MODE        OWNER    GROUP

Shared Memory:
T           ID          KEY MODE        OWNER    GROUP

Semaphores:
T           ID          KEY MODE        OWNER    GROUP



# ipcs  -y
Message Queues:
T           ID          KEY MODE        OWNER    GROUP

Shared Memory:
T           ID          KEY MODE        OWNER    GROUP

Semaphores:
T           ID          KEY MODE        OWNER    GROUP


#


Also I mounted procfs on proc (# mount -t procfs proc /proc) and search for
600 but I did not find anything useful ( grep -R '600' * |&less ).




I am open to suggestions...I have not reboot the machine yet.
By the way I see that I have two unknown listening ports 600/tcp6 and
601/tcp4 .

tcpdump has not shown any traffic yet to these ports.





--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

mdtancsa
In reply to this post by BBlister
On 2/16/2019 12:43 PM, BBlister wrote:

> I have tried:
> # lsof -n -P | grep :600
> #
> --nothing
>
> # sockstat -a | grep :600
> ?        ?          ?     ?  tcp6   *:600                 *:*
>
>
> # netstat -an | grep 600
> tcp6       0      0 *.600                  *.*                    LISTEN
>
>
> Perhaps this is a kernel module, but which? Is this a strange rootkit? I did
> not reboot the machine, because I would like to locate the offending process
> first. This box runs nginx and rtorrent.

I see the same thing with rpc.lockd.

# ps -auxw | grep rpc
root       948    0.0  0.0 285572  6180  -  Is   Fri11       0:00.10
/usr/sbin/rpc.statd
root       951    0.0  0.0  23448  6164  -  Ss   Fri11       0:00.11
/usr/sbin/rpc.lockd
root     40566    0.0  0.0  11264  2608  0  S+   10:54       0:00.00
grep rpc
# sockstat -vL | grep 929
?        ?          ?     ?  tcp4   *:929                 *:*
# kill 948
# sockstat -vL | grep 929
?        ?          ?     ?  tcp4   *:929                 *:*
# kill 951
# ps -auxw | grep rpc
root     40572    0.0  0.0 11264  2608  0  S+   10:54       0:00.00 grep rpc
# sockstat -vL | grep 929
#

I dont get why sockstat cant identify them ? Its a userland process, no ?

    ---Mike




--
-------------------
Mike Tancsa, tel +1 519 651 3400 x203
Sentex Communications, [hidden email]
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada  

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister
Yes you are right. If I kill rpc.lockd the two listening ports disappear. If
I re-execute, then I can see two new unknown listening ports on other
locations. For example, now I have  815/tcp4 and 874/tcp6 .

So I believe I should ask the freebsd-hackers which rpc.lockd cannot be
listed on the sockstat or lsof (which means that this could be a way for a
malicious process to do exactly what lockd does and open ports without being
identified).

Thanks mdtancsa for your valuable tip.



--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

Greg Veldman-3
On Tue, Feb 19, 2019 at 11:53:24AM -0700, BBlister wrote:
> Yes you are right. If I kill rpc.lockd the two listening ports disappear. If
> I re-execute, then I can see two new unknown listening ports on other
> locations. For example, now I have  815/tcp4 and 874/tcp6 .
>
> So I believe I should ask the freebsd-hackers which rpc.lockd cannot be
> listed on the sockstat or lsof (which means that this could be a way for a
> malicious process to do exactly what lockd does and open ports without being
> identified).

rpcinfo -p on the host should show you all running RPC services
and the port they're listening on.  It's another good thing to
check besides lsof/sockstat when looking for open ports.

--
Greg Veldman
[hidden email]
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Cannot identify process of listening port 600/tcp6

BBlister

The rpcinfo -p does appear to be useful but not entirely, because still some
ports are hidden.

For example, on my machine I have two listening sockets
815/tcp4 and 874/tcp6

# netstat -an | grep -E '874|815'
tcp4       0      0 *.815                  *.*                    LISTEN
tcp6       0      0 *.874                  *.*                    LISTEN

sockstat reports ?
# sockstat | grep -E '874|815'
?        ?          ?     ?  tcp4   *:815                 *:*
?        ?          ?     ?  tcp6   *:874                 *:*

rpcinfo -p reports just one port
# rpcinfo -p| grep -E '874|815'
    100021    0   tcp    815  nlockmgr
    100021    1   tcp    815  nlockmgr
    100021    3   tcp    815  nlockmgr
    100021    4   tcp    815  nlockmgr


The 874/tcp6 which belongs to rpc.lockd does not appear on this list.
Is rpcinfo only for IPv4 and if yes,what tool do I use for IPv6 ?

Thanks for your hint Greg Veldman-3





--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-questions-f3696945.html
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[hidden email]"