Ratelucky

1. Mac Find App Listening To Port Iphone
2. Mac Find App Listening To Port Settings
3. Mac Find App Listening To Port Number
4. Mac Find App Listening To Port Computer

Jul 03, 2017  In the CurrPorts window, sort by the “Local Port” column, find the port you’re investigating, and you can see everything—the process name, PID, port, the full path to the process, and so on. To make it even easier, double-click on any process to see every single detail in one window.

• Mac OS X comes with a built in firewall that keeps your computer safe, but some apps and services require you to open ports in your firewall. Discover how to open specific ports on your OS X.
• Jun 06, 2020  What is Listening Port # Network port is identified by its number, the associated IP address, and type of the communication protocol, such as TCP or UDP. Listening port is a network port on which an application or process listens on, acting as a communication endpoint. Each listening port can be open or closed (filtered) using a firewall.
• Jul 31, 2013  Somehow I’ve only noticed now that netstat on Mac OS X cannot show the program name. Actually on Mac OS X, the -p parameter of netstat doesn’t mean program or process but protocol. Also there is no -t parameter but it can be done using -ptcp. $ netstat -an -ptcp grep LISTEN tcp4 0 0 127.0.0.1.10000.
• Aug 22, 2013  First, find out the processes PID that opened tcp port 90, enter: # fuser 80/tcp Sample outputs: 80/tcp: 6 3. Finally, find out process name associated with PID # 3813, enter: # ls -l /proc/12161/exe Sample outputs: lrwxrwxrwx. 1 root root 0 Aug 9 13:28 /proc/12161/exe - /usr/sbin/lighttpd. Find out more about lighttpd.

Click here to return to the 'Show which processes are listening to which ports' hint

Hi,
I followed your instructions and got this :-
GoogleDes 271 ezra 14u IPv4 0x023a0200 0t0 TCP localhost:9011 (LISTEN)
Can you interpret what it means? Thank you.
---
EB

GoogleDes sounds as though it might be GoogleDesktop, do you happen to have that installed?

It's a process called GoogleDes with a pid of 271. The process is owned by user ezra. 14u means it is file descriptor number 14 and is open for update. The file type is an IP v4 socket and the next bit is the address in the kernel of the file structure. The 0t0 is the offset within the file which is a socket (being listened to) so probably meaningless. Finally it is a TCP socket on the localhost interface port 9011 and it's being listened to by the GoogleDes process.
Basically it means GoogleDes is listening for TCP connections on port 9011.

While i haven't installed it on an OS X box yet, i have installed sshdfilter on my linux servers.
it should be possible to make it work under OS X with a little work.
Essentially, it watches the secure log for sshd login attempts. if the user name supplied doesn't exist, instant block of that ip address.
it just goes dead. the script automatically cleans those IP addresses out later at a user defined interval.
it gives you 3 attempts to get a user/password combination to login, before it blocks your IP address. That number is also configurable.
You can find sshdfilter, if you are interested in hacking it apart, on freshmeat.net
No, i am not the author, and am in no way affiliated.
i found it after one of my linux boxes was bruteforced through ssh.
the sshdfilter logs that i have emailed to myself in the morning are always amusing.
it's fun reading a couple dozen lines of 'Instant block of xx.xx.xx.xx, unknown user'
where i used to have hundreds of lines of attempts at user guessing.
oh, and anyone trying to use the root user is blocked instantly as well.

I had high hopes for this as a general tool to see what daemons are running.. but it looks incomplete.
For example on my system it lists the following:
ARDAgent
AppleVNC
SubethaEdit
but not SSHD, or any other services (SMB, WEB, etc).. Am I missing a reason why these services are not showing up?
---
A completely SANE Canadian.

.. and btw, ssh is managed by launchd, so you will only see sshd in the list if there is a current session (somebody is currently logged in)

Good point.
And really, when not run as root this would be almost useless to find 'trojans' (Assuming that it was able to in the first place)
---
A completely SANE Canadian.

This is a great tool in general, but be very careful of trusting this on a hacked machine.
A common technique of hackers is to replace programs like lsof, ps, top, etc., with hacked versions which explicitly don't show any of their trojan processes. So if your machine has been hacked by all means use this to look around and see what happened, but don't trust it to indicate your machine has been cleaned.
The only decently reliably way to clean up from a hack is to re-install the OS from scratch and then copy data over from a backup. (If you restore the OS from a backup you don't have any way of knowing whether the backup was made before or after the hack for the same reasons mentioned above.)

That's all well and good, but that's incomplete advice.

If the user wants to find out what processes are listening on TCP/IP ports, the lsof program will work, albeit with your caveat that the program may be hacked.

Other things that could be done to simply check for listeners which are not as drastic as a complete system reinstall would be:

• attempt to locate a program like lsof on the OS X install disk, if possible, by exploring the base install packages
• transfer the image from another OS X system that you know for sure isn't compromised
• Find the sources to the utility and compile it yourself

Once you have a 'known good' copy, you can run it to check out if anything is awry.

Oh.. and backup, backup, backup! Free mac software. If you have a smart backup script with incrementals running daily, you might be able to see how and where your system may have been internally compromised (recent edits to files in /usr/bin are a good clue!)

That wouldn't work if the hacker has compromised libraries. You would need a statically linked binary.
What hackers might not do is replace 'Activity Monitor' because unix hackers don't expect apple gui tools.
None-the-less if you have been hacked you need to reinstall the OS. There is no real way around this.
Also turn on your firewall and you might consider 'Little Snitch'.

What is this ?
SECx20He 222 savage 14u IPv4 0x03916b38 0t0 TCP *:49168 (LISTEN)
SECx20He 222 savage 16u IPv4 0x039167e4 0t0 TCP *:23000 (LISTEN)
No idea what these 2 are ?

It's a process whose name begins 'SEC He' and has pid 222. Use Activity monitor to find it.

So my ignorant 'what are these' question is:
What are these?
netinfod 80 root 7u IPv4 0x02ed7e8c 0t0 TCP localhost:netinfo-local (LISTEN)
AppleFile 179 root 30u IPv6 0x02a2bc50 0t0 TCP *:afpovertcp (LISTEN)
AppleFile 179 root 31u IPv4 0x02ed569c 0t0 TCP *:afpovertcp (LISTEN)
cupsd 191 root 0u IPv4 0x02ed713c 0t0 TCP localhost:ipp (LISTEN)
python 679 david 4u IPv4 0x03089740 0t0 TCP localhost:50000 (LISTEN)
firefox-b 1466 david 32u IPv4 0x040e669c 0t0 TCP localhost:50001 (LISTEN)
slpd 3531 root 2u IPv4 0x03f44200 0t0 TCP *:svrloc (LISTEN)
(yeah, I know firefox..)

netinfod - Netinfo (It's from next Step, stores info normally found in the /etc folder, like passwords. Will be replaced by ldap in the future).
AppleFile AFP Daemon, it allows you to connect to afp shares.
cupsd CUPS is an open source print daemon/driver.
python - Are you running any scripts? Look this one up in activity monitor.
slpd - service location protocol, wiki says osx uses this to find network shares.

Are you running Salling Clicker? if so it's SEC Helper.

Thanks for the tip.
On a side note, a great way to shut down these attacks is to setup key authentication, then disable password authentication in /etc/sshd_conf:
PasswordAuthentication no
Don't forget to HUP sshd for the setting to take effect.
--
Cole

that's pretty useless if the state isn't LISTENING (for instance, like , oh, I don't know..ESTABLISHED?) You don't care about what connections are ALL READY going on? OK then, use the suggested command.
lsof -nP | grep TCP
or
lsof -nP | grep UDP
are better by far

So why is Microsoft Word listening on port 3806 (TCP)?

Hi..
sorry but what about:
mysqld 205 nobody 4u IPv4 0x01f62f50 0t0 TCP 127.0.0.1:50701 (LISTEN)
I know it must be MySQL, but being run by 'nobody'?
Could that be a problem?

On the contrary, this is a good thing. Some processes (like mysqld) drop their privileges after launchinf and acquiring a socket to listen on, running under an unprivileged 'nobody' user ID. So if the security of that process is compromised somehow, at least the attacker cannot easily exploit the elevated privileges of that process to do more damage.

I use 'Little Snitch' which handles all this for me.
http://www.obdev.at/products/littlesnitch/

I don't know what I'm doing at all, but I decided to combine two of the suggestions already posted by johnqsmith, tice, and doctype to come up with:

Mac Find App Listening To Port Iphone

sudo lsof -nP | grep TCP
and
sudo lsof -nP | grep UDP
The first one gave me the most information that I could somewhat understand. But in either case, they both gave me more information than any of the other suggestions by themselves.
Using sudo lsof -nP | grep TCP, I got:
mDNSRespo 33 root 11u IPv4 0x0333eca0 0t0 TCP *:* (CLOSED)
netinfod 34 root 7u IPv4 0x02358e8c 0t0 TCP localhost:netinfo-local (LISTEN)
netinfod 34 root 8u IPv4 0x0333f69c 0t0 TCP localhost:netinfo-local->localhost:956 (ESTABLISHED)
netinfod 34 root 10u IPv4 0x023573ec 0t0 TCP localhost:netinfo-local->localhost:1021 (ESTABLISHED)
Directory 45 root 6u IPv4 0x02357740 0t0 TCP localhost:1021->localhost:netinfo-local (ESTABLISHED)
Directory 45 root 11u IPv4 0x02f473ec 0t0 TCP *:* (CLOSED)
Directory 45 root 33u IPv4 0x03340a94 0t0 TCP *:* (CLOSED)
cupsd 367 root 0u IPv4 0x02d587e4 0t0 TCP localhost:ipp (LISTEN)
Safari 2519 admin 25u IPv4 0x02e56d44 0t0 TCP 192.168.2.20:52459->scds77.ord.llnw.net:http (CLOSED)
lookupd 3770 root 6u IPv4 0x02e56348 0t0 TCP localhost:956->localhost:netinfo-local (ESTABLISHED)
And using sudo lsof -i UDP, I got:
mDNSRespo 33 root 7u IPv4 0x01fb1ad0 0t0 UDP *:mdns
mDNSRespo 33 root 8u IPv6 0x01fb1a00 0t0 UDP *:mdns
mDNSRespo 33 root 9u IPv4 0x01fb0340 0t0 UDP 10.0.1.2:52066
mDNSRespo 33 root 12u IPv4 0x01fb0000 0t0 UDP *:mdns
netinfod 34 root 6u IPv4 0x01fb1e10 0t0 UDP localhost:netinfo-local
syslogd 35 root 17u IPv4 0x01fb1d40 0t0 UDP *:*
Directory 45 root 10u IPv4 0x01fb0750 0t0 UDP *:*
Directory 45 root 31u IPv4 0x01fb1860 0t0 UDP *:*
ntpd 193 root 5u IPv4 0x01fb1ba0 0t0 UDP *:ntp
ntpd 193 root 6u IPv4 0x01fb1790 0t0 UDP localhost:ntp
ntpd 193 root 7u IPv4 0x01fb1c70 0t0 UDP 192.168.2.20:ntp

Mac Find App Listening To Port Settings

automount 228 root 8u IPv4 0x01fb0b60 0t0 UDP localhost:1023
automount 234 root 8u IPv4 0x01fb12b0 0t0 UDP localhost:1022
cupsd 367 root 6u IPv4 0x01fb1110 0t0 UDP *:ipp
While I don't know what all that means, what I can do is run these commands randomly and keep a log of the results. So I'd then have something to compare with if I'm concerned that something is not going right.
I think what might work is to log into my 'clean admin' account, run both commands, and log what came up. Then I'd have a baseline to work with that isn't so highly affected by my personal user activities.
Does anyone see any problems with this?

---
Vicki

In light of that, we offer the following options for you to consider in order to make use of your Neat scanner and/or software: Option 1: Continue using the Retired Desktop SoftwareIf you already using a retired version of Neat, then you can continue using the product as is. Please keep in mind that the retired desktop software is not supported and the installation link for these versions are no longer available. Retired versions of Neat do not require a subscription fee for use. We cannot guarantee the integrity of your data if you choose to continue to use a retired version of Neat. Use neat scanner without software mac.

Mac Find App Listening To Port Number

Never use setuid on a shell script! Simply by making a softlink from your script to a file named '-i', anyone can root you. Google it for details, but basically adding #!/bin/sh to the beginning of the file will cause the shell to take the name of the script ($0) and create a new command with /bin/sh and then the name of the script. If the filename of the script is -i, then the command becomes '/bin/sh -i', and your attacker just got an interactive root shell.

-->

Applies to: Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2008 R2

When you connect to a computer (either a Windows client or Windows Server) through the Remote Desktop client, the Remote Desktop feature on your computer 'hears' the connection request through a defined listening port (3389 by default). You can change that listening port on Windows computers by modifying the registry.

1. Start the registry editor. (Type regedit in the Search box.)
2. Navigate to the following registry subkey:HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-TcpPortNumber
3. Click Edit > Modify, and then click Decimal.
4. Type the new port number, and then click OK.
5. Close the registry editor, and restart your computer.

Mac Find App Listening To Port Computer

The next time you connect to this computer by using the Remote Desktop connection, you must type the new port. If you're using a firewall, make sure to configure your firewall to permit connections to the new port number.