[SOLVED] mystery program

darthaxul · 12-21-2013, 05:04 AM

encountered this weird process that is showing up when I run netstat...
netstat -anep
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:16385 0.0.0.0:* LISTEN 0 3076 -
so I run find -inum 3076 and four files show up
I end up rebooting then same tcp/port is listening but diffrent inode this time. I run find again and four different files show up this time. So I launch rkhunter and everything comes back clean. Now I'm wondering what this mysterious program is. Then I noticed another connection showing up as...
raw 0 0 0.0.0.0:1 0.0.0.0:* 7

but eventually went away. but the other one for port 16385 is still showing up.

berndbausch · 12-21-2013, 08:46 AM

Quote:

Originally Posted by darthaxul

encountered this weird process that is showing up when I run netstat...
netstat -anep
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:16385 0.0.0.0:* LISTEN 0 3076 -
so I run find -inum 3076 and four files show up
I end up rebooting then same tcp/port is listening but diffrent inode this time. I run find again and four different files show up this time. So I launch rkhunter and everything comes back clean. Now I'm wondering what this mysterious program is. Then I noticed another connection showing up as...
raw 0 0 0.0.0.0:1 0.0.0.0:* 7

but eventually went away. but the other one for port 16385 is still showing up.

Perhaps lsof -i is more successful in reporting the process.
I doubt that find can find sockets. What you found was files in different filesystems that happened to have the same inode number as the socket by accident.

darthaxul · 12-21-2013, 04:06 PM

It was just some stupid RDS protocol built into the kernel.