Strange open ports
 

Hi,

I use Network Utility to find out that my computer have opened ports that I never configured in my firewall... How come? Could anybody have a look at it and tell me if it can be a threat. Thank you in advance! I use XDonkey (4662).

Port Scanning host: 10.0.1.2

Open Port: 1213
Open Port: 4000
Open Port: 4001
Open Port: 4002
Open Port: 4080
Open Port: 4662
Open Port: 6346
Open Port: 6881
Open Port: 6882
Open Port: 45100
Port Scan has completed ...

This does seem unusual and might be something to worry about.
You should restart your Mac and make sure none of the programs that do networking (e.g.XDonkey, Mail, Safari) are running. Then run the port scan again.

You can use the following command (in a Terminal window) to see what programs are using the ports:

sudo lsof -i -P

Hi Hayne,

Thank you for your reply! It was very long but I did what you have suggested, I restarted my Mac and while none of the programs that do networking were running I run the port scan again, and the result is that no ports were opened. I guess is a good sign...!?

Then I started my Internet browser (Firefox 1.0 PR) and only one port was opened (3967). Something you have to know - maybe - I am using a web proxy...

In case it was not my browser using that port, I tried to see what programs could be using the port 3967 in the Terminal window using the command you've suggested (sudo lsof -i -P) but didn't succeed.
I actually may have done something wrong while trying to do that... I am not sure..?! Look below the result after I typed sudo lsof -i -P3967 and I entered my admin password.



sudo lsof -i -P3967

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these two things:

#1) Respect the privacy of others.
#2) Think before you type.

Password:
lsof: illegal option character: 3
lsof: illegal option character: 9
lsof: illegal option character: 6
lsof: illegal option character: 7
lsof 4.60
latest revision: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abChlnNoOPRstUvV] [-c c] [+|-d s] [+D D] [+|-f[cfgGn]]
[-F [f]] [-g [s]] [-i [i]] [-k k] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names]
Use the ``-h'' option to get more help information.



I also tried to do it like that:



sudo lsof -i -3967
lsof: illegal option character: 3
lsof: illegal option character: 9
lsof: illegal option character: 6
lsof: illegal option character: 7
lsof 4.60
latest revision: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abChlnNoOPRstUvV] [-c c] [+|-d s] [+D D] [+|-f[cfgGn]]
[-F [f]] [-g [s]] [-i [i]] [-k k] [+|-L [l]] [-m m] [+|-M] [-o [o]] [-p s]
[+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [--] [names]
Use the ``-h'' option to get more help information.


I have made a mistake somewhere. I am a newbie!

At the present moment I am doing another scan ports but this time while XDonkey program is also running. I let you know the result in a short while, hopefully. Thank you for your help Haine!

When entering commands in situations where you are confident in the person who gave you the commands, but not confident that you will enter it properly, it is a good idea to copy/paste directly from the forum into your Terminal. In this case, you want to enter the command exactly as hayne wrote:

sudo lsof -i -P

In other words, there is no specific reference to a port. If you do want to look for some specific text, you can use a construct like this:

sudo lsof -i -P | grep 3967

Trevor

OK I understood Trevor! Thank you!
So I haven't damaged anything in my Mac otherwise you would have mentionned it...!?

Can you give me your opinion about what I wrote first (see below), is that OK..?

""...I restarted my Mac and while none of the programs that do networking were running I run the port scan again, and the result is that no ports were opened. I guess is a good sign...!?

Then I started my Internet browser (Firefox 1.0 PR) and only one port was opened (3967)...""


Thanks!

You haven't damaged anything by running the incorrect command.

It's a good sign as long as the ports don't get opened again later on. Really what you want to do is understand why the ports got opened.

Does that port (3967) correspond to the proxy server you are using?
What kind of proxy server are you using? How do you set it up?
If you are still running "Firefox 0.9.3" (in your signature) then you should upgrade to the latest version. Some security holes have been fixed.

What do you get from the command 'sudo lsof -i -P' ?

haine, the port 3967 doesn't correspond to my proxy server. The proxy I am using is from Cotse and the port is 8080 and I set it up from the Connection Settings of my browser (Firefox 1.0 PR) ... I rectified my signature which was not accurate...

This is what I get from the command when Acquisition is running (it's much faster than with the Network utility tool):

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
configd 106 root 7u inet 0x02276f20 0t0 UDP *:68
syslogd 264 root 4u inet 0x02276e50 0t0 UDP *:514
mDNSRespo 283 nobody 0u inet 0x02276d80 0t0 UDP *:*
mDNSRespo 283 nobody 5u inet 0x02275ee0 0t0 UDP *:*
mDNSRespo 283 nobody 6u inet 0x02276cb0 0t0 UDP *:*
mDNSRespo 283 nobody 7u inet 0x02276a40 0t0 UDP *:*
mDNSRespo 283 nobody 8u inet 0x02276b10 0t0 UDP *:*
mDNSRespo 283 nobody 9u inet 0x022762f0 0t0 UDP *:*
mDNSRespo 283 nobody 10u inet 0x02276220 0t0 UDP *:5353
netinfod 295 root 5u inet 0x02276be0 0t0 UDP localhost:1033
netinfod 295 root 6u inet 0x02363d1c 0t0 TCP localhost:1033 (LISTEN)
netinfod 295 root 7u inet 0x023637bc 0t0 TCP localhost:1033->localhost:1003 (ESTABLISHED)
netinfod 295 root 8u inet 0x0236279c 0t0 TCP localhost:1033->localhost:1019 (ESTABLISHED)
ntpd 348 root 4u inet 0x022768a0 0t0 UDP *:123
ntpd 348 root 5u inet 0x022767d0 0t0 UDP localhost:123
ntpd 348 root 6u inet 0x02276700 0t0 UDP 10.0.1.2:123
automount 350 root 4u inet 0x02276630 0t0 UDP *:1023
cupsd 372 root 0u inet 0x02362cfc 0t0 TCP localhost:631 (LISTEN)
cupsd 372 root 2u inet 0x022763c0 0t0 UDP *:631
Directory 392 root 5u inet 0x02276150 0t0 UDP *:*
Directory 392 root 6u inet 0x02362a4c 0t0 TCP localhost:1019->localhost:1033 (ESTABLISHED)
Directory 392 root 7u inet 0x023624ec 0t0 TCP *:* (CLOSED)
Directory 392 root 8u inet 0x02276080 0t0 UDP *:*
Directory 392 root 9u inet 0x0236223c 0t0 TCP *:* (CLOSED)
integod 416 root 3u inet 0x0241cf20 0t0 RAW *:*
LaunchCFM 443 lm 17u inet 0x02361cdc 0t0 TCP *:3967 (LISTEN)
LaunchCFM 443 lm 20u inet 0x02360f6c 0t0 TCP localhost:56892->localhost:631 (CLOSE_WAIT)
LaunchCFM 443 lm 21u inet 0x023614cc 0t0 TCP localhost:56893->localhost:631 (CLOSE_WAIT)
LaunchCFM 443 lm 23u inet 0x02275fb0 0t0 UDP *:2222
lookupd 530 root 4u inet 0x0236177c 0t0 TCP localhost:1003->localhost:1033 (ESTABLISHED)
lookupd 530 root 5u inet 0x02275d40 0t0 UDP *:49257
lookupd 530 root 6u inet 0x02276970 0t0 UDP *:*
lookupd 530 root 7u inet 0x02275e10 0t0 UDP *:*
lookupd 530 root 8u inet 0x02275ad0 0t0 UDP *:49258
lookupd 530 root 9u inet 0x02275c70 0t0 UDP *:*
lookupd 530 root 10u inet 0x02275ba0 0t0 UDP *:*
lookupd 530 root 11u inet 0x022755f0 0t0 UDP *:49261
lookupd 530 root 12u inet 0x02275a00 0t0 UDP *:*
lookupd 530 root 13u inet 0x02275930 0t0 UDP *:49259
Acquisiti 562 lm 12u inet 0x02c7473c 0t0 TCP 10.0.1.2:56678->tusk.cotse.net:8080 (CLOSE_WAIT)
java 565 lm 6u inet 0x02275790 0t0 UDP *:6347


I can't see the port 3967! ...Strange!
Here is another one with XDonkey running.


COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
configd 106 root 7u inet 0x02276f20 0t0 UDP *:68
syslogd 264 root 4u inet 0x02276e50 0t0 UDP *:514
mDNSRespo 283 nobody 0u inet 0x02276d80 0t0 UDP *:*
mDNSRespo 283 nobody 5u inet 0x02275ee0 0t0 UDP *:*
mDNSRespo 283 nobody 6u inet 0x02276cb0 0t0 UDP *:*
mDNSRespo 283 nobody 7u inet 0x02276a40 0t0 UDP *:*
mDNSRespo 283 nobody 8u inet 0x02276b10 0t0 UDP *:*
mDNSRespo 283 nobody 9u inet 0x022762f0 0t0 UDP *:*
mDNSRespo 283 nobody 10u inet 0x02276220 0t0 UDP *:5353
netinfod 295 root 5u inet 0x02276be0 0t0 UDP localhost:1033
netinfod 295 root 6u inet 0x02363d1c 0t0 TCP localhost:1033 (LISTEN)
netinfod 295 root 7u inet 0x023637bc 0t0 TCP localhost:1033->localhost:1003 (ESTABLISHED)
netinfod 295 root 8u inet 0x0236279c 0t0 TCP localhost:1033->localhost:1019 (ESTABLISHED)
netinfod 295 root 9u inet 0x03299f4c 0t0 TCP localhost:1033->localhost:58314 (ESTABLISHED)
ntpd 348 root 4u inet 0x022768a0 0t0 UDP *:123
ntpd 348 root 5u inet 0x022767d0 0t0 UDP localhost:123
ntpd 348 root 6u inet 0x02276700 0t0 UDP 10.0.1.2:123
automount 350 root 4u inet 0x02276630 0t0 UDP *:1023
cupsd 372 root 0u inet 0x02362cfc 0t0 TCP localhost:631 (LISTEN)
cupsd 372 root 2u inet 0x022763c0 0t0 UDP *:631
Directory 392 root 5u inet 0x02276150 0t0 UDP *:*
Directory 392 root 6u inet 0x02362a4c 0t0 TCP localhost:1019->localhost:1033 (ESTABLISHED)
Directory 392 root 7u inet 0x023624ec 0t0 TCP *:* (CLOSED)
Directory 392 root 8u inet 0x02276080 0t0 UDP *:*
Directory 392 root 9u inet 0x0236223c 0t0 TCP *:* (CLOSED)
integod 416 root 3u inet 0x0241cf20 0t0 RAW *:*
LaunchCFM 443 lm 17u inet 0x02361cdc 0t0 TCP *:3967 (LISTEN)
LaunchCFM 443 lm 20u inet 0x02360f6c 0t0 TCP localhost:56892->localhost:631 (CLOSE_WAIT)
LaunchCFM 443 lm 21u inet 0x023614cc 0t0 TCP localhost:56893->localhost:631 (CLOSE_WAIT)
LaunchCFM 443 lm 23u inet 0x02275fb0 0t0 UDP *:2222
lookupd 530 root 4u inet 0x0236177c 0t0 TCP localhost:1003->localhost:1033 (ESTABLISHED)
lookupd 530 root 5u inet 0x02275d40 0t0 UDP *:49257
lookupd 530 root 6u inet 0x02276970 0t0 UDP *:*
lookupd 530 root 7u inet 0x02275e10 0t0 UDP *:*
lookupd 530 root 8u inet 0x02275ad0 0t0 UDP *:49258
lookupd 530 root 9u inet 0x02275c70 0t0 UDP *:*
lookupd 530 root 10u inet 0x02275ba0 0t0 UDP *:49373
lookupd 530 root 11u inet 0x022755f0 0t0 UDP *:49261
lookupd 530 root 12u inet 0x02275a00 0t0 UDP *:*
lookupd 530 root 13u inet 0x02275930 0t0 UDP *:49259
xDonkey 650 lm 9u inet 0x02361a2c 0t0 TCP localhost:57017->localhost:4001 (ESTABLISHED)
mlnet 654 lm 4u inet 0x02275790 0t0 UDP *:49374
mlnet 654 lm 29u inet 0x023601fc 0t0 TCP *:4662 (LISTEN)
mlnet 654 lm 30u inet 0x022756c0 0t0 UDP *:4666
mlnet 654 lm 31u inet 0x02275860 0t0 UDP *:14383
mlnet 654 lm 32u inet 0x0236075c 0t0 TCP *:14383 (LISTEN)
mlnet 654 lm 33u inet 0x02360a0c 0t0 TCP *:6881 (LISTEN)
mlnet 654 lm 34u inet 0x02c74c9c 0t0 TCP *:6882 (LISTEN)
mlnet 654 lm 35u inet 0x02c749ec 0t0 TCP *:4080 (LISTEN)
mlnet 654 lm 36u inet 0x02363a6c 0t0 TCP *:4000 (LISTEN)
mlnet 654 lm 37u inet 0x023604ac 0t0 TCP *:4002 (LISTEN)
mlnet 654 lm 38u inet 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE
mlnet 654 lm 39u inet 0x02c7448c 0t0 TCP *:4001 (LISTEN)
mlnet 654 lm 40u inet 0x02361f8c 0t0 TCP *:1213 (LISTEN)
mlnet 654 lm 42u inet 0x0329f75c 0t0 TCP 10.0.1.2:4662->220-135-177-19.hinet-ip.hinet.net:3051 (ESTABLISHED)
mlnet 654 lm 43u inet 0x0236350c 0t0 TCP localhost:4001->localhost:57017 (ESTABLISHED)
mlnet 654 lm 44u inet 0x0236325c 0t0 TCP 10.0.1.2:56990->193.151.74.81.euro-servers.net:4242 (ESTABLISHED)
mlnet 654 lm 45u inet 0x032a4a0c 0t0 TCP 10.0.1.2:4662->200-158-213-29.dsl.telesp.net.br:3131 (ESTABLISHED)
mlnet 654 lm 47u inet 0x0329da6c 0t0 TCP 10.0.1.2:56993->:4661 (ESTABLISHED)
mlnet 654 lm 48u inet 0x0329d7bc 0t0 TCP 10.0.1.2:56994->218.87.20.106:1888 (ESTABLISHED)
[s-Computer:~] lm% D)
mlnet 654 lm 51u inet 0x0329f1fc 0t0 TCP 10.0.1.2:57059->iaws9.ee.ccu.edu.tw:7654 (ESTABLISHED)
mlnet 654 lm 54u inet 0x0329c4ec 0t0 TCP 10.0.1.2:57001->modemcable176.209-201-24.mc.videotron.ca:100 (ESTABLISHED)
mlnet 654 lm 59u inet 0x0329b77c 0t0 TCP 10.0.1.2:57006->189-4.cableamos.com:3156 (ESTABLISHED)
mlnet 654 lm 61u inet 0x0329b21c 0t0 TCP 10.0.1.2:57009->hsdbsk142-165-35-128.sasknet.sk.ca:1817 (ESTABLISHED)
mlnet 654 lm 65u inet 0x0329a75c 0t0 TCP 10.0.1.2:57013->user-74b36a.user.msu.edu:3806 (ESTABLISHED)
mlnet 654 lm 116u inet 0x032a6fac 0t0 TCP 10.0.1.2:57083->cs24242113-210.sport.rr.com:1214 (ESTABLISHED)
stroke 655 lm 3u inet 0x032a623c 0t0 TCP 10.0.1.2:63016->10.0.1.2:5908 (SYN_SENT)
stroke 655 lm 4u inet 0x0329ff6c 0t0 TCP localhost:58314->localhost:1033 (ESTABLISHED)


Here is the port 3967!

Sorry it's a lot of things to read...

The port 3967 was in the earlier list as well - you just missed it.
It is shown as having been opened by the process "LaunchCFM". This is a generic process name that was used in Jaguar's version of 'lsof' to indicate that it is a Carbon program. You might be able to find out the name of the program by running the following command:

ps -p 443

where the number comes from the second entry in the output line from 'lsof':
LaunchCFM 443 lm 17u inet 0x02361cdc 0t0 TCP *:3967 (LISTEN)

Anyway, it seems you don't have anything to worry about - that is as long as you trust the developers of XDonkey & Acquisition since it is these programs that are opening up most of the ports on your system.

Thank you hayne!

I got this: PID TT STAT TIME COMMAND


What risk could there be...? Can you advice me a website to visit in order to be more knowledgefull about this aspect?

Do you still see the line
LaunchCFM 443 lm 17u inet 0x02361cdc 0t0 TCP *:3967 (LISTEN)
when you run 'sudo lsof -i -P' ?
It's strange that the process 443 doesn't show up when you do 'ps -p 443'.


The risk in having any port open is that anyone on the Internet could send packets to the program that is listening at that port. If there were any bugs in that program, a malevolent person could possibly make use of these bugs to do something on your system that you don't want.
Even in the absence of bugs, you need to trust the program's developers to not be using these entry points to your system for other things than what they say they are doing. With programs that are on the shady side of legality, you should be more suspicious of the developer's ethics.

hayne,

After I ran:

sudo lsof -i -P
the line:

LaunchCFM 443 lm 17u inet 0x02361cdc 0t0 TCP *:3967 (LISTEN)
was gone...

I don't know if it's strange or not that the process 443 doesn't show up when I did 'ps -p 443' (as you said), but it's what happened when I ran:

ps -p 443

What harm could be done if someone would have installed bugs in my computer? I've heard about things like Spyware and Trojan, but my Sharing and Internet Services are off. How could they take control of my computer...?

How could I know there are bugs in my computer?

Is there any safe way to share files (legal) between people then..?

So that just means that you quit whatever application it was that was using that port. By the way, I suspect that that app was a part of MS Office.

People don't "install bugs in your computer" - a bug is a defect that exists in a computer program that makes the program behave differently than intended. For example, if there were such a bug in a file sharing program, it might allow someone to take over your computer by sending different information than expected to one of the ports attached to that program.
You don't know if there are any such security holes in programs since nobody knows - until they are discovered and publicized.
Thus it is best to minimize the ways in which other people can contact your computer - i.e. minimize the open ports and/or the programs that open those ports.

Yes I think you're right haine because yesterday while I was doing the scan ports I was using MS Office... I didn't know it would alter the scan ports result to use a program which is not suppose to be connected to Internet.

What do you mean by take over? What kind of information could they take from my computer and how since I allow only one folder to be shared?

I just did another ports scan and I have this time port 6969 opened which seems to be not good at all this time (I checked on Internet). Then I ran in the Terminal

sudo lsof -i :6969

and nothing appear, which I think is a positive sign...!?

Do you have any thoughts hayne about that?

Office listens for messages from other copies of Office as a copy-protection tactic.


That's the extreme case, but by "take over", I mean someone on the Internet could remotely control your computer as they wished if a security hole allowed them this sort of access.

Each open port is a weakness in the defenses to your system. Best to avoid such weaknesses.

Where did you get that command from? You can't just make up commands and expect them to tell you anything useful.

Using -i with an argument preceded by a colon narrows down the list to just that port, very useful when you just want to know about that one port:

So I guess others programs/companies can do the same... But how can they discover someone is using an unlicensed program?


Can that be possible even if I give access to only one folder on my computer..?



What I don't understand is that when I scan my Mac with the Network Utility tool there was that 6969 port opened and when I wanted to know more about it through the Terminal, nothing appear like if it was not opened...!

I suppose what Office is doing, at the least, is checking to make sure there aren't any other copies of Office on a connected computer with the exact same product ID and program keys.

Yes, it can be possible. I think you may not be understanding yet.

Let's say that you've got some buggy p2p "sharing" program running that has a vulnerability. Using this vulnerability, someone can access your computer and in some cases take complete control over it, depending on the severity of the vulnerability. This is independent of what you are doing, such as sharing only one folder. This is simply because you have a program with a vulnerability installed and running.

I would not recommend p2p programs for anyone who is concerned about securing their computer. The two are basically polar opposites. If you want a secure computer, don't run software written by people who "share" items to which they don't own a copyright.

Trevor

Things can change. A program can have a port open at one time and then close it when it chooses. And of course if you quit a program, any ports that it had open are closed.

Thank you Trevor for your input!

How can I know someone is controlling my computer?

Little Snitch would help probably to stop someone who is trying to gather information from my computer... Anything else..?

In order for anyone to gain access to your computer through ports not intended for that purpose, there would have to be holes in the OS allowing such access. In other words, your mac allows FTP (if enabled) through ports 20 and 21. If you have not enabled FTP, those ports are closed. You may though have HTTP (Personal Web Browsing) enabled through port 80. Unless the FTP user (in NetInfo Manager) has port 80 enabled as well, no-one can ftp into your system. It works the same way for all of your ports.

Running one of the more secure operating systems, I wouldn't worry too much about hackers finding back doors such as this.

You seem to have neglected to read the whole thread or you would have seen that the original poster is running P2P software and has many open ports. The relevant "holes" are those in the P2P software.

A combination of
1. a securely set up firewall,
2. a Tripwire-like program (one easy-to-use Tripwire-like program is CheckMate),
3. Little Snitch, and
4. a Network Intrusion Detection System such as snort (for an OS X GUI for snort, use Henwen) should keep you protected and alerted to problems.

Trevor

No I didn't. I was responding to……and making the statement that unless complete control was open by the OS to one of these ports (Of which none of those ports have admin level access), then the worry is unjustified.

This is completely and utterly wrong. You should not give people this false sense of security. Mac OS X is an extremely secure operating system, and I certainly don't want to worry people--everyone is probably fine as long as they keep their operating system up to date and don't do risky things. But it is completely possible for OS X to have exploits, just as with any other operating system, when running questionable software containing vulnerabilities.

Read some of the following links for your education:
http://www.google.com/search?q=%22re...UTF-8&oe=UTF-8

Trevor

As Trevor has said, it is a worry to provide any services via open ports to the Internet unless you trust that the software that is accessible via those ports is security-hardened. Even if the software does not run with 'root' privileges, if a hole in that software allows an attacker access to your user account, all your user files are vulnerable. And access to a local account is often the first stage in gaining 'root' access.

For the standard services supplied as part of OS X (but off by default and requiring enabling in Sharing preferences), Apple makes sure that the software is secure against all known vulnerabilities. I.e. Apple takes care of the security of Apache, FTP, SSH, etc.
This is not true of most P2P software and hence use of such software is slightly worrisome.

Thanks Trevor for the secure coktail software. I'll try them asap!



Is there any P2P software which are secure..?