Re: Big traffic on 412/tcp

From: zeno (bugtraq@cgisecurity.net)
Date: 04/24/02

Previous message: Matt Zimmerman: "Re: ftp"
In reply to: Scott T. Cameron: "Re: Big traffic on 412/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: zeno <bugtraq@cgisecurity.net>
To: karn@routehero.com (Scott T. Cameron)
Date: Wed, 24 Apr 2002 14:18:11 -0400 (EDT)

>
> At least under FreeBSD, I've often found that 'sockstat' is a much more useful program than lsof.

I never used it until you mentioned it. lsof gives more information but sockstat makes it more readable.
Also a rootkit is more likely to replace lsof then sockstat. Another reason to use both.

- zeno@cgisecurity.com

>
> Regards,
> Scott T. Cameron
>
>
> On Wed, Apr 24, 2002 at 10:52:29AM -0700, H C wrote:
> >
> > > Does anyone know what they transport on this port ?
> >
> > Not off the top of my pointed head, but if you go to
> > the machine and run your tool of choice, you'll likely
> > find out:
> >
> > Linux/*nix: lsof, fuser
> > WinNT/2: fport
> > XP: netstat -ano
> >
> > Simply get the PID of the process using the port. In
> > the case of Windows systems, listdlls will not only
> > give you the modules (DLLs) used by the process, but
> > also the command line that was used to launch it.
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Games - play chess, backgammon, pool and more
> > http://games.yahoo.com/
> >
> > ----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Previous message: Matt Zimmerman: "Re: ftp"
In reply to: Scott T. Cameron: "Re: Big traffic on 412/tcp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: info
... Get an 'lsof' listing of processes and what programs are bound to ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, ...
(Incidents)
Re: command to inentify the process that is listening in a port.
... IP port? ... when sockstat/fstat are in the base system and seem to cover the same ground? ... I would have recommended lsof simply because I wasn't aware of sockstat. ...
(freebsd-questions)
Re: Need urgent help regarding security
... is doing with lsof, but depending on what backdoor ... because intelligent rootkits hide themself ... Then sockstat ...
(freebsd-questions)
Re: is one of my hosts a scanner?
... Use lsof or sockstat ... ; NKritsky ... To unsubscribe, ...
(FreeBSD-Security)
Re: FBSD 5.4 - netstat -p tcp
... > i have tried that with no luck:( ... lsof often works for me where sockstat or netstat ... To unsubscribe, ...
(freebsd-questions)