netstat help

Discussion in 'macOS' started by Theoyster, Sep 11, 2010.

  1. Theoyster macrumors member

    Joined:
    Apr 21, 2010
    #1
    Can someone tell me if there is any output here indicative of being intruded upon? Some strange things happening on my mac.



    PHP:
    netstat -an

    Active Internet connections 
    (including servers)
    Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
    tcp4       0      0  10.56.0.17.63156       74.125.67.17.443       ESTABLISHED
    tcp4       0      0  10.56.0.17.63145       72.14.209.83.443       ESTABLISHED
    tcp4       0      0  
    *.*                    *.*                    CLOSED
    tcp4       0      0  127.0.0.1.1033         127.0.0.1.999          ESTABLISHED
    tcp4       0      0  127.0.0.1.999          127.0.0.1.1033         ESTABLISHED
    tcp4       0      0  97.
    **.**.***.56564     67.23.70.14.1723       ESTABLISHED
    tcp4       0      0  10.56.0.17.55442       8.19.240.53.80         ESTABLISHED
    tcp4       0      0  10.56.0.17.55409       8.19.240.53.80         ESTABLISHED
    tcp4       0      0  10.56.0.17.55399       8.19.240.53.80         ESTABLISHED
    tcp4       0      0  127.0.0.1.631          
    *.*                    LISTEN
    tcp4       0      0  127.0.0.1.1033         127.0.0.1.1015         ESTABLISHED
    tcp4       0      0  127.0.0.1.1015         127.0.0.1.1033         ESTABLISHED
    tcp4       0      0  127.0.0.1.1033         127.0.0.1.1021         ESTABLISHED
    tcp4       0      0  127.0.0.1.1021         127.0.0.1.1033         ESTABLISHED
    tcp4       0      0  127.0.0.1.1033         
    *.*                    LISTEN
    udp4       0      0  
    *.*                    *.*                    
    udp4       0      0  97.**.**.***.52745     *.*                    
    udp4       0      0  *.5353                 *.*                    
    udp4       0      0  *.*                    *.*                    
    udp4       0      0  *.631                  *.*                    
    udp4       0      0  127.0.0.1.49159        127.0.0.1.1022         
    udp4       0      0  127.0.0.1.49158        127.0.0.1.1022         
    udp4       0      0  127.0.0.1.1022         
    *.*                    
    udp4       0      0  127.0.0.1.49157        127.0.0.1.1023         
    udp4       0      0  127.0.0.1.1023         
    *.*                    
    udp4       0      0  *.*                    *.*                    
    udp4       0      0  97.**.**.***.123       *.*                    
    udp4       0      0  127.0.0.1.123          *.*                    
    udp4       0      0  *.123                  *.*                    
    udp6       0      0  *.5353                 *.*                    
    udp4       0      0  *.5353                 *.*                    
    udp4       0      0  127.0.0.1.1033         *.*                    
    icm6       0      0  *.*                    *.*                    
    Active LOCAL (UNIXdomain sockets
    Address  Type   Recv
    -Q Send-Q    Inode     Conn     Refs  Nextref Addr
     1f62440 stream      0      0        0  1f62000        0        0
     1f62000 stream      0      0        0  1f62440        0        0
     2427ee0 stream      0      0        0  1f62088        0        0
     1f62088 stream      0      0        0  2427ee0        0        0
     1f62220 stream      0      0  2424c60        0        0        0 
    /private/var/run/cupsd
     1f625d8 stream      0      0        0  1f62660        0        0 
    /var/run/mDNSResponder
     1f62660 stream      0      0        0  1f625d8        0        0
     1f626e8 stream      0      0  21f7dec        0        0        0 
    /var/run/pppconfd
     1f62aa0 stream      0      0  21909cc        0        0        0 
    /var/run/mDNSResponder
     1f62880 stream      0      0  2179318        0        0        0 
    /var/run/asl_input
     1f62e58 stream      0      0  21798c4        0        0        0 
    /var/run/portmap.socket
     1f62ee0 stream      0      0        0        0        0        0
     1f62f68 stream      0      0  1f56420        0        0        0 
    /var/launchd/0/sock
     2427f68 dgram       0      0        0  1f627f8        0  1f62cc0
     1f62cc0 dgram       0      0        0  1f627f8        0  2427e58
     2427b28 dgram       0      0        0  2427bb0  2427bb0        0
     2427bb0 dgram       0      0        0  2427b28  2427b28        0
     2427c38 dgram       0      0        0  2427cc0  2427cc0        0
     2427cc0 dgram       0      0        0  2427c38  2427c38        0
     2427d48 dgram       0      0        0  2427dd0  2427dd0        0
     2427dd0 dgram       0      0        0  2427d48  2427d48        0
     2427e58 dgram       0      0        0  1f627f8        0  1f62110
     1f62110 dgram       0      0        0  1f627f8        0  1f62198
     1f62198 dgram       0      0        0  1f627f8        0  1f622a8
     1f622a8 dgram       0      0        0  1f627f8        0  1f62330
     1f62330 dgram       0      0        0  1f627f8        0  1f623b8
     1f623b8 dgram       0      0        0  1f627f8        0  1f62770
     1f624c8 dgram       0      0        0  1f62550  1f62550        0
     1f62550 dgram       0      0        0  1f624c8  1f624c8        0
     1f62770 dgram       0      0        0  1f627f8        0  1f62dd0
     1f62dd0 dgram       0      0        0  1f627f8        0  1f62b28
     1f62b28 dgram       0      0        0  1f627f8        0  1f62d48
     1f62bb0 dgram       0      0        0  1f62c38  1f62c38        0
     1f62c38 dgram       0      0        0  1f62bb0  1f62bb0        0
     1f62d48 dgram       0      0        0  1f627f8        0  1f62990
     1f62990 dgram       0      0        0  1f627f8        0        0
     1f62908 dgram       0      0        0  1f62a18  1f62a18        0
     1f62a18 dgram       0      0        0  1f62908  1f62908        0
     1f627f8 dgram       0      0  2179210        0  2427f68        0 
    /var/run/syslo

    netstat

    \Active Internet connections
    Proto Recv
    -Q Send-Q  Local Address          Foreign Address        (state)
    tcp4       0      0  97-********.dhc.63649 iw-in-f147.1e100.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63647 iw-in-f83.1e100..https ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63644 cdce.chg005.inte.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63629 iy-in-f149.1e100.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63617 a184-51-200-83.d.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63612 iy-in-f100.1e100.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63611 iy-in-f156.1e100.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63610 a.tribalfusion.c.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63609 iw-in-f149.1e100.http  ESTABLISHED
    tcp4       0      0  97
    -********.dhc.63599 iw-in-f83.1e100..https ESTABLISHED
    tcp4       0      0  localhost
    .netinfo-loca localhost.997          ESTABLISHED
    tcp4       0      0  localhost.997          localhost
    .netinfo-loca ESTABLISHED
    tcp4       0      0  10.56.0.17.55442       8.19.240.53
    .http       ESTABLISHED
    tcp4       0      0  10.56.0.17.55409       8.19.240.53
    .http       ESTABLISHED
    tcp4       0      0  10.56.0.17.55399       8.19.240.53
    .http       ESTABLISHED
    tcp4       0      0  localhost
    .netinfo-loca localhost.1015         ESTABLISHED
    tcp4       0      0  localhost.1015         localhost
    .netinfo-loca ESTABLISHED
    tcp4       0      0  localhost
    .netinfo-loca localhost.1021         ESTABLISHED
    tcp4       0      0  localhost.1021         localhost
    .netinfo-loca ESTABLISHED
    udp4       0      0  
    *.mdns                 *.*                    
    udp4       0      0  *.*                    *.*                    
    udp4       0      0  *.ipp                  *.*                    
    udp4       0      0  localhost.49159        localhost.1022         
    udp4       0      0  localhost.49158        localhost.1022         
    udp4       0      0  localhost.1022         
    *.*                    
    udp4       0      0  localhost.49157        localhost.1023         
    udp4       0      0  localhost.1023         
    *.*                    
    udp4       0      0  *.*                    *.*                    
    udp4       0      0  97-86-37-121.dhc.ntp   *.*                    
    udp4       0      0  localhost.ntp          *.*                    
    udp4       0      0  *.ntp                  *.*                    
    udp6       0      0  *.5353                 *.*                    
    udp4       0      0  *.mdns                 *.*                    
    udp4       0      0  localhost.netinfo-loca *.*                    
    icm6       0      0  *.*                    *.*                    
    Active LOCAL (UNIXdomain sockets
    Address  Type   Recv
    -Q Send-Q    Inode     Conn     Refs  Nextref Addr
     2427220 stream      0      0        0        0        0        0
     2427088 stream      0      0        0        0        0        0
     2427908 stream      0      0        0        0        0        0
     24276e8 stream      0      0        0        0        0        0
     1f62220 stream      0      0  2424c60        0        0        0 
    /private/var/run/cupsd
     1f625d8 stream      0      0        0  1f62660        0        0 
    /var/run/mDNSResponder
     1f62660 stream      0      0        0  1f625d8        0        0
     1f626e8 stream      0      0  21f7dec        0        0        0 
    /var/run/pppconfd
     1f62aa0 stream      0      0  21909cc        0        0        0 
    /var/run/mDNSResponder
     1f62880 stream      0      0  2179318        0        0        0 
    /var/run/asl_input
     1f62e58 stream      0      0  21798c4        0        0        0 
    /var/run/portmap.socket
     1f62ee0 stream      0      0        0        0        0        0
     1f62f68 stream      0      0  1f56420        0        0        0 
    /var/launchd/0/sock
     2427f68 dgram       0      0        0  1f627f8        0  2427e58
     2427b28 dgram       0      0        0  2427bb0  2427bb0        0
     2427bb0 dgram       0      0        0  2427b28  2427b28        0
     2427c38 dgram       0      0        0  2427cc0  2427cc0        0
     2427cc0 dgram       0      0        0  2427c38  2427c38        0
     2427d48 dgram       0      0        0  2427dd0  2427dd0        0
     2427dd0 dgram       0      0        0  2427d48  2427d48        0
     2427e58 dgram       0      0        0  1f627f8        0  1f62110
     1f62110 dgram       0      0        0  1f627f8        0  1f62198
     1f62198 dgram       0      0        0  1f627f8        0  1f622a8
     1f622a8 dgram       0      0        0  1f627f8        0  1f62330
     1f62330 dgram       0      0        0  1f627f8        0  1f623b8
     1f623b8 dgram       0      0        0  1f627f8        0  1f62770
     1f624c8 dgram       0      0        0  1f62550  1f62550        0
     1f62550 dgram       0      0        0  1f624c8  1f624c8        0
     1f62770 dgram       0      0        0  1f627f8        0  1f62dd0
     1f62dd0 dgram       0      0        0  1f627f8        0  1f62b28
     1f62b28 dgram       0      0        0  1f627f8        0  1f62d48
     1f62bb0 dgram       0      0        0  1f62c38  1f62c38        0
     1f62c38 dgram       0      0        0  1f62bb0  1f62bb0        0
     1f62d48 dgram       0      0        0  1f627f8        0  1f62990
     1f62990 dgram       0      0        0  1f627f8        0        0
     1f62908 dgram       0      0        0  1f62a18  1f62a18        0
     1f62a18 dgram       0      0        0  1f62908  1f62908        0

     
  2. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #2
    Nothing concrete. There looks to be a potential VPN connection (port 1723). If you did not create the connection I might be worried. Simply going off netstat isn't going to tell you anything concrete though.
     
  3. Theoyster thread starter macrumors member

    Joined:
    Apr 21, 2010
    #3
    I set up the VPN so that's ok.

    What do you look for in this? I know if there's a trojan it would be in the listening state after a reboot. Other than that I have trouble interpreting all of the connections.
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    The 127.0.0.1 is the same as localhost, and those are your machine. So those references shouldn't be anything malicious. The last octet on the IPs are the port number. Port 443 is for SSL/TSL (secure web connections), port 80 is for non-secure web connections.

    The 10.56... appears to be your machines IP. Using an IP lookup service, some of the IPs listed in the foreign address column were simply listed as neighborhood connections. At least one looked to be for the VPN connection. The others may simply be web sites open in your browser. The port 1033, which is listening is for netinfo (you can find common port uses by searching "port 1033."
     

Share This Page