Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

netstat help

T

Theoyster

macrumors member
Original poster
Apr 21, 2010
32
0
Can someone tell me if there is any output here indicative of being intruded upon? Some strange things happening on my mac.



PHP: 
netstat -an

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  10.56.0.17.63156       74.125.67.17.443       ESTABLISHED
tcp4       0      0  10.56.0.17.63145       72.14.209.83.443       ESTABLISHED
tcp4       0      0  *.*                    *.*                    CLOSED
tcp4       0      0  127.0.0.1.1033         127.0.0.1.999          ESTABLISHED
tcp4       0      0  127.0.0.1.999          127.0.0.1.1033         ESTABLISHED
tcp4       0      0  97.**.**.***.56564     67.23.70.14.1723       ESTABLISHED
tcp4       0      0  10.56.0.17.55442       8.19.240.53.80         ESTABLISHED
tcp4       0      0  10.56.0.17.55409       8.19.240.53.80         ESTABLISHED
tcp4       0      0  10.56.0.17.55399       8.19.240.53.80         ESTABLISHED
tcp4       0      0  127.0.0.1.631          *.*                    LISTEN
tcp4       0      0  127.0.0.1.1033         127.0.0.1.1015         ESTABLISHED
tcp4       0      0  127.0.0.1.1015         127.0.0.1.1033         ESTABLISHED
tcp4       0      0  127.0.0.1.1033         127.0.0.1.1021         ESTABLISHED
tcp4       0      0  127.0.0.1.1021         127.0.0.1.1033         ESTABLISHED
tcp4       0      0  127.0.0.1.1033         *.*                    LISTEN
udp4       0      0  *.*                    *.*                    
udp4       0      0  97.**.**.***.52745     *.*                    
udp4       0      0  *.5353                 *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.631                  *.*                    
udp4       0      0  127.0.0.1.49159        127.0.0.1.1022         
udp4       0      0  127.0.0.1.49158        127.0.0.1.1022         
udp4       0      0  127.0.0.1.1022         *.*                    
udp4       0      0  127.0.0.1.49157        127.0.0.1.1023         
udp4       0      0  127.0.0.1.1023         *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  97.**.**.***.123       *.*                    
udp4       0      0  127.0.0.1.123          *.*                    
udp4       0      0  *.123                  *.*                    
udp6       0      0  *.5353                 *.*                    
udp4       0      0  *.5353                 *.*                    
udp4       0      0  127.0.0.1.1033         *.*                    
icm6       0      0  *.*                    *.*                    
Active LOCAL (UNIX) domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
 1f62440 stream      0      0        0  1f62000        0        0
 1f62000 stream      0      0        0  1f62440        0        0
 2427ee0 stream      0      0        0  1f62088        0        0
 1f62088 stream      0      0        0  2427ee0        0        0
 1f62220 stream      0      0  2424c60        0        0        0 /private/var/run/cupsd
 1f625d8 stream      0      0        0  1f62660        0        0 /var/run/mDNSResponder
 1f62660 stream      0      0        0  1f625d8        0        0
 1f626e8 stream      0      0  21f7dec        0        0        0 /var/run/pppconfd
 1f62aa0 stream      0      0  21909cc        0        0        0 /var/run/mDNSResponder
 1f62880 stream      0      0  2179318        0        0        0 /var/run/asl_input
 1f62e58 stream      0      0  21798c4        0        0        0 /var/run/portmap.socket
 1f62ee0 stream      0      0        0        0        0        0
 1f62f68 stream      0      0  1f56420        0        0        0 /var/launchd/0/sock
 2427f68 dgram       0      0        0  1f627f8        0  1f62cc0
 1f62cc0 dgram       0      0        0  1f627f8        0  2427e58
 2427b28 dgram       0      0        0  2427bb0  2427bb0        0
 2427bb0 dgram       0      0        0  2427b28  2427b28        0
 2427c38 dgram       0      0        0  2427cc0  2427cc0        0
 2427cc0 dgram       0      0        0  2427c38  2427c38        0
 2427d48 dgram       0      0        0  2427dd0  2427dd0        0
 2427dd0 dgram       0      0        0  2427d48  2427d48        0
 2427e58 dgram       0      0        0  1f627f8        0  1f62110
 1f62110 dgram       0      0        0  1f627f8        0  1f62198
 1f62198 dgram       0      0        0  1f627f8        0  1f622a8
 1f622a8 dgram       0      0        0  1f627f8        0  1f62330
 1f62330 dgram       0      0        0  1f627f8        0  1f623b8
 1f623b8 dgram       0      0        0  1f627f8        0  1f62770
 1f624c8 dgram       0      0        0  1f62550  1f62550        0
 1f62550 dgram       0      0        0  1f624c8  1f624c8        0
 1f62770 dgram       0      0        0  1f627f8        0  1f62dd0
 1f62dd0 dgram       0      0        0  1f627f8        0  1f62b28
 1f62b28 dgram       0      0        0  1f627f8        0  1f62d48
 1f62bb0 dgram       0      0        0  1f62c38  1f62c38        0
 1f62c38 dgram       0      0        0  1f62bb0  1f62bb0        0
 1f62d48 dgram       0      0        0  1f627f8        0  1f62990
 1f62990 dgram       0      0        0  1f627f8        0        0
 1f62908 dgram       0      0        0  1f62a18  1f62a18        0
 1f62a18 dgram       0      0        0  1f62908  1f62908        0
 1f627f8 dgram       0      0  2179210        0  2427f68        0 /var/run/syslo

netstat

\Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  97-********.dhc.63649 iw-in-f147.1e100.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63647 iw-in-f83.1e100..https ESTABLISHED
tcp4       0      0  97-********.dhc.63644 cdce.chg005.inte.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63629 iy-in-f149.1e100.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63617 a184-51-200-83.d.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63612 iy-in-f100.1e100.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63611 iy-in-f156.1e100.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63610 a.tribalfusion.c.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63609 iw-in-f149.1e100.http  ESTABLISHED
tcp4       0      0  97-********.dhc.63599 iw-in-f83.1e100..https ESTABLISHED
tcp4       0      0  localhost.netinfo-loca localhost.997          ESTABLISHED
tcp4       0      0  localhost.997          localhost.netinfo-loca ESTABLISHED
tcp4       0      0  10.56.0.17.55442       8.19.240.53.http       ESTABLISHED
tcp4       0      0  10.56.0.17.55409       8.19.240.53.http       ESTABLISHED
tcp4       0      0  10.56.0.17.55399       8.19.240.53.http       ESTABLISHED
tcp4       0      0  localhost.netinfo-loca localhost.1015         ESTABLISHED
tcp4       0      0  localhost.1015         localhost.netinfo-loca ESTABLISHED
tcp4       0      0  localhost.netinfo-loca localhost.1021         ESTABLISHED
tcp4       0      0  localhost.1021         localhost.netinfo-loca ESTABLISHED
udp4       0      0  *.mdns                 *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.ipp                  *.*                    
udp4       0      0  localhost.49159        localhost.1022         
udp4       0      0  localhost.49158        localhost.1022         
udp4       0      0  localhost.1022         *.*                    
udp4       0      0  localhost.49157        localhost.1023         
udp4       0      0  localhost.1023         *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  97-86-37-121.dhc.ntp   *.*                    
udp4       0      0  localhost.ntp          *.*                    
udp4       0      0  *.ntp                  *.*                    
udp6       0      0  *.5353                 *.*                    
udp4       0      0  *.mdns                 *.*                    
udp4       0      0  localhost.netinfo-loca *.*                    
icm6       0      0  *.*                    *.*                    
Active LOCAL (UNIX) domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
 2427220 stream      0      0        0        0        0        0
 2427088 stream      0      0        0        0        0        0
 2427908 stream      0      0        0        0        0        0
 24276e8 stream      0      0        0        0        0        0
 1f62220 stream      0      0  2424c60        0        0        0 /private/var/run/cupsd
 1f625d8 stream      0      0        0  1f62660        0        0 /var/run/mDNSResponder
 1f62660 stream      0      0        0  1f625d8        0        0
 1f626e8 stream      0      0  21f7dec        0        0        0 /var/run/pppconfd
 1f62aa0 stream      0      0  21909cc        0        0        0 /var/run/mDNSResponder
 1f62880 stream      0      0  2179318        0        0        0 /var/run/asl_input
 1f62e58 stream      0      0  21798c4        0        0        0 /var/run/portmap.socket
 1f62ee0 stream      0      0        0        0        0        0
 1f62f68 stream      0      0  1f56420        0        0        0 /var/launchd/0/sock
 2427f68 dgram       0      0        0  1f627f8        0  2427e58
 2427b28 dgram       0      0        0  2427bb0  2427bb0        0
 2427bb0 dgram       0      0        0  2427b28  2427b28        0
 2427c38 dgram       0      0        0  2427cc0  2427cc0        0
 2427cc0 dgram       0      0        0  2427c38  2427c38        0
 2427d48 dgram       0      0        0  2427dd0  2427dd0        0
 2427dd0 dgram       0      0        0  2427d48  2427d48        0
 2427e58 dgram       0      0        0  1f627f8        0  1f62110
 1f62110 dgram       0      0        0  1f627f8        0  1f62198
 1f62198 dgram       0      0        0  1f627f8        0  1f622a8
 1f622a8 dgram       0      0        0  1f627f8        0  1f62330
 1f62330 dgram       0      0        0  1f627f8        0  1f623b8
 1f623b8 dgram       0      0        0  1f627f8        0  1f62770
 1f624c8 dgram       0      0        0  1f62550  1f62550        0
 1f62550 dgram       0      0        0  1f624c8  1f624c8        0
 1f62770 dgram       0      0        0  1f627f8        0  1f62dd0
 1f62dd0 dgram       0      0        0  1f627f8        0  1f62b28
 1f62b28 dgram       0      0        0  1f627f8        0  1f62d48
 1f62bb0 dgram       0      0        0  1f62c38  1f62c38        0
 1f62c38 dgram       0      0        0  1f62bb0  1f62bb0        0
 1f62d48 dgram       0      0        0  1f627f8        0  1f62990
 1f62990 dgram       0      0        0  1f627f8        0        0
 1f62908 dgram       0      0        0  1f62a18  1f62a18        0
 1f62a18 dgram       0      0        0  1f62908  1f62908        0
 
Nothing concrete. There looks to be a potential VPN connection (port 1723). If you did not create the connection I might be worried. Simply going off netstat isn't going to tell you anything concrete though.
 
I set up the VPN so that's ok.

What do you look for in this? I know if there's a trojan it would be in the listening state after a reboot. Other than that I have trouble interpreting all of the connections.
 
Theoyster said:
What do you look for in this?
Click to expand...

The 127.0.0.1 is the same as localhost, and those are your machine. So those references shouldn't be anything malicious. The last octet on the IPs are the port number. Port 443 is for SSL/TSL (secure web connections), port 80 is for non-secure web connections.

The 10.56... appears to be your machines IP. Using an IP lookup service, some of the IPs listed in the foreign address column were simply listed as neighborhood connections. At least one looked to be for the VPN connection. The others may simply be web sites open in your browser. The port 1033, which is listening is for netinfo (you can find common port uses by searching "port 1033."
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back