Using Netstat To Check For Hackers

OVERTHEMOON · May 15, 2010

I've got a very slow 2.8 GHz Intel Core 2 Duo 24" with 2 GB 667 MHz DDR2 SDRAM 0 - IT WASN'T ALWAYS THIS SLOW !!! Being the paranoid guy that I am - I've run Kaspersky and MACSCAN without detecting any threats.

So - I've done a NETSTAT to see how many connections are running and there's loads of them !!!!! I DONT HAVE PROGRAMS RUNNING IN THE BACKGROUND THAT I'M AWARE OF ie: P2P or Chat or Anything !

Web pages and applications are running slow - I'm just wondering if I've been hacked?

Anyone got any ideas PLEASE ?

stuarthatto · May 15, 2010

Download a trial of Little Snitch... http://www.obdev.at/products/littlesnitch/index.html

That will tell you the apps attempting outbound connections.

The ArchAngel · May 15, 2010

Restart your machine, let it run for 20 minutes with nothing open, then run "netstat -a" and print the results here. If it is clocking and taking forever to run, try adding the -n switch. I believe on a base, clean Mac OS install with no other server-side services running, you should only see the machine listening on 631 for CUPS. (Feel free to correct me if I'm wrong.)

OVERTHEMOON · May 15, 2010

The ArchAngel said:
Restart your machine, let it run for 20 minutes with nothing open, then run "netstat -a" and print the results here. If it is clocking and taking forever to run, try adding the -n switch. I believe on a base, clean Mac OS install with no other server-side services running, you should only see the machine listening on 631 for CUPS. (Feel free to correct me if I'm wrong.)

MILLENIUMs-iMac:~ MILLENIUM$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.33.49857 192.168.1.1.http ESTABLISHED
tcp4 0 0 *.netmagic *.* LISTEN
tcp4 0 0 192.168.1.33.49856 cdce-vip.bsn002..http ESTABLISHED
tcp4 0 0 *.kerberos *.* LISTEN
tcp6 0 0 *.kerberos *.* LISTEN
tcp4 0 0 localhost.64000 *.* LISTEN
tcp4 0 0 *.afpovertcp *.* LISTEN
tcp6 0 0 *.afpovert *.* LISTEN
tcp4 0 0 localhost.ipp *.* LISTEN
tcp6 0 0 localhost.ipp *.* LISTEN
tcp4 0 0 192.168.1.33.49855 192.168.1.1.http TIME_WAIT
udp4 0 0 *.netmagic *.*
udp4 0 0 10.37.129.2.kerberos *.*
udp4 0 0 10.211.55.2.kerberos *.*
udp4 0 0 192.168.1.33.kerberos *.*
udp6 0 0 *.kerberos *.*
udp6 0 0 *.57456 *.*
udp4 0 0 *.57456 *.*
udp6 0 0 *.54585 *.*
udp4 0 0 *.54585 *.*
udp6 0 0 *.61426 *.*
udp4 0 0 *.61426 *.*
udp6 0 0 *.53414 *.*
udp4 0 0 *.53414 *.*
udp6 0 0 *.54561 *.*
udp4 0 0 *.54561 *.*
udp6 0 0 *.61182 *.*
udp4 0 0 *.61182 *.*
udp6 0 0 *.49563 *.*
udp4 0 0 *.49563 *.*
udp6 0 0 *.53031 *.*
udp4 0 0 *.53031 *.*
udp6 0 0 *.57889 *.*
udp4 0 0 *.57889 *.*
udp6 0 0 *.53238 *.*
udp4 0 0 *.53238 *.*
udp6 0 0 *.52967 *.*
udp4 0 0 *.52967 *.*
udp6 0 0 *.64935 *.*
udp4 0 0 *.64935 *.*
udp6 0 0 *.58667 *.*
udp4 0 0 *.58667 *.*
udp6 0 0 *.55186 *.*
udp4 0 0 *.55186 *.*
udp6 0 0 *.53344 *.*
udp4 0 0 *.53344 *.*
udp4 0 0 *.ipp *.*
udp4 0 0 192.168.1.33.ntp *.*
udp6 0 0 milleniums-imac.ntp *.*
udp4 0 0 *.* *.*
udp4 0 0 *.* *.*
udp4 0 0 localhost.64000 *.*
udp4 0 0 10.37.129.2.ntp *.*
udp4 0 0 10.211.55.2.ntp *.*
udp4 0 0 localhost.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 localhost.ntp *.*
udp6 0 0 *.ntp *.*
udp4 0 0 *.ntp *.*
udp6 0 0 *.mdns *.*
udp4 0 0 *.mdns *.*
udp4 0 0 *.* *.*
udp4 0 0 *.* *.*
icm6 0 0 *.* *.*
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
8092c70 stream 0 0 0 5a58a20 0 0 /var/run/mDNSResponder
5a58a20 stream 0 0 0 8092c70 0 0
8092f40 stream 0 0 0 5a58630 0 0 /tmp/NMADMB.s
5a58630 stream 0 0 0 8092f40 0 0
5a58990 stream 0 0 0 61f47f0 0 0
61f47f0 stream 0 0 0 5a58990 0 0
8092d00 stream 0 0 63173a8 0 0 0 /tmp/NMADMB.s
61f4640 stream 0 0 631743c 0 0 0 /tmp/NMADUA.s
61f27e0 stream 0 0 0 61f2000 0 0 /var/run/mDNSResponder
61f2000 stream 0 0 0 61f27e0 0 0
61f3170 stream 0 0 0 61f4d00 0 0 /private/var/run/cupsd
61f4d00 stream 0 0 0 61f3170 0 0
5a59440 stream 0 0 0 5a58750 0 0 /tmp/launchd-167.p0nKTX/sock
5a58750 stream 0 0 0 5a59440 0 0
5a58510 stream 0 0 0 61f3200 0 0
61f3200 stream 0 0 0 5a58510 0 0
61f4250 stream 0 0 0 61f49a0 0 0 /var/run/mDNSResponder
61f49a0 stream 0 0 0 61f4250 0 0
80929a0 stream 0 0 0 61f2a20 0 0 /var/run/mDNSResponder
61f2a20 stream 0 0 0 80929a0 0 0
61f35f0 stream 0 0 0 61f2630 0 0 /var/tmp/launchd/sock
61f2630 stream 0 0 0 61f35f0 0 0
61f3830 stream 0 0 0 61f3440 0 0
61f3440 stream 0 0 0 61f3830 0 0
61f23f0 stream 0 0 0 0 0 0
61f42e0 stream 0 0 0 5a58fc0 0 0 /var/tmp/launchd/sock
5a58fc0 stream 0 0 0 61f42e0 0 0
5a587e0 stream 0 0 0 8092d90 0 0
8092d90 stream 0 0 0 5a587e0 0 0
61f3dd0 stream 0 0 0 5a585a0 0 0 /var/run/mDNSResponder
5a585a0 stream 0 0 0 61f3dd0 0 0
61f2090 stream 0 0 0 61f2990 0 0 /var/run/mDNSResponder
61f2990 stream 0 0 0 61f2090 0 0
80925b0 stream 0 0 0 8092640 0 0 /var/run/mDNSResponder
8092640 stream 0 0 0 80925b0 0 0
80926d0 stream 0 0 0 61f25a0 0 0 /tmp/kav_sockets/PRRemote:202202
61f25a0 stream 0 0 0 80926d0 0 0
61f2480 stream 0 0 0 61f2360 0 0 /tmp/kav_sockets/PRRemote:5757
61f2360 stream 0 0 0 61f2480 0 0
61f2b40 stream 0 0 0 61f2750 0 0 /var/run/com.sophos.sau.ipc
61f2750 stream 0 0 0 61f2b40 0 0
61f2ab0 stream 0 0 0 61f26c0 0 0 /var/run/com.sophos.sav.ic.ipc
61f26c0 stream 0 0 0 61f2ab0 0 0
61f39e0 stream 0 0 0 61f3560 0 0 /var/run/com.sophos.sav.ic.ipc
61f3560 stream 0 0 0 61f39e0 0 0
61f3b90 stream 0 0 0 61f4130 0 0 /var/run/usbmuxd
61f4130 stream 0 0 0 61f3b90 0 0
61f21b0 stream 0 0 0 61f3a70 0 0 /var/run/mDNSResponder
61f3a70 stream 0 0 0 61f21b0 0 0
61f2510 stream 0 0 0 61f22d0 0 0 /var/run/mDNSResponder
61f22d0 stream 0 0 0 61f2510 0 0
61f2900 stream 0 0 81f5d4c 0 0 0 /tmp/kav_sockets/PRRemote:202202
61f2c60 stream 0 0 0 61f2bd0 0 0
61f2bd0 stream 0 0 0 61f2c60 0 0
61f2cf0 stream 0 0 0 61f2d80 0 0 /var/run/mDNSResponder
61f2d80 stream 0 0 0 61f2cf0 0 0
61f2f30 stream 0 0 0 61f2fc0 0 0 /var/run/mDNSResponder
61f2fc0 stream 0 0 0 61f2f30 0 0
61f4d90 stream 0 0 7d815f8 0 0 0 /tmp/icssuis501
5a58ea0 stream 0 0 0 61f30e0 0 0
61f30e0 stream 0 0 0 5a58ea0 0 0
61f3320 stream 0 0 0 61f33b0 0 0
61f33b0 stream 0 0 0 61f3320 0 0
5a58900 stream 0 0 0 5a58c60 0 0
5a58c60 stream 0 0 0 5a58900 0 0
5a58000 stream 0 0 7c9e0c4 0 0 0 /tmp/launch-7KKXJM/org.x:0
5a590e0 stream 0 0 7c9e1ec 0 0 0 /tmp/launch-DUNriv/Listeners
5a586c0 stream 0 0 7c9e314 0 0 0 /tmp/launch-yKVREs/Render
5a59200 stream 0 0 7c9e848 0 0 0 /tmp/launchd-167.p0nKTX/sock
5a5a880 stream 0 0 0 5a5a910 0 0
5a5a910 stream 0 0 0 5a5a880 0 0
61f4b50 stream 0 0 7a07ea4 0 0 0 /var/run/com.sophos.sav.ic.ipc
5a58240 stream 0 0 7a07f38 0 0 0 /var/run/com.sophos.sav.ic.ipcs
61f4a30 stream 0 0 0 0 0 0
61f3cb0 stream 0 0 0 61f45b0 0 0
61f45b0 stream 0 0 0 61f3cb0 0 0
61f3ef0 stream 0 0 0 61f4370 0 0
61f4370 stream 0 0 0 61f3ef0 0 0
5a59a70 stream 0 0 0 5a59950 0 0
5a59950 stream 0 0 0 5a59a70

OVERTHEMOON · May 15, 2010

cont...

0 0
5a58ab0 stream 0 0 6d2bd4c 0 0 0 /tmp/kav_sockets/PRRemote:5757
61f3d40 stream 0 0 6c810c4 0 0 0 /var/run/com.sophos.sau.ipc
5a582d0 stream 0 0 6c81158 0 0 0 /var/run/com.sophos.sau.ipcs
5a59320 stream 0 0 6c38a04 0 0 0 /var/run/com.sophos.sav.ipcs
5a58e10 stream 0 0 6c38a98 0 0 0 /var/run/com.sophos.sav.ipc
5a58bd0 stream 0 0 0 5a59290 0 0 /var/run/mDNSResponder
5a59290 stream 0 0 0 5a58bd0 0 0
5a59170 stream 0 0 0 61f3680 0 0 /var/run/mDNSResponder
61f3680 stream 0 0 0 5a59170 0 0
5a58870 stream 0 0 0 5a59050 0 0 /var/run/mDNSResponder
5a59050 stream 0 0 0 5a58870 0 0
61f41c0 stream 0 0 0 61f3c20 0 0
61f3c20 stream 0 0 0 61f41c0 0 0
61f4be0 stream 0 0 0 61f4c70 0 0
61f4c70 stream 0 0 0 61f4be0 0 0
61f4e20 stream 0 0 0 61f4eb0 0 0
61f4eb0 stream 0 0 0 61f4e20 0 0
5a583f0 stream 0 0 0 5a58480 0 0
5a58480 stream 0 0 0 5a583f0 0 0
5a58cf0 stream 0 0 0 5a58d80 0 0
5a58d80 stream 0 0 0 5a58cf0 0 0
5a594d0 stream 0 0 0 5a595f0 0 0
5a595f0 stream 0 0 0 5a594d0 0 0
5a59560 stream 0 0 0 5a59680 0 0
5a59680 stream 0 0 0 5a59560 0 0
5a598c0 stream 0 0 0 5a59710 0 0
5a59710 stream 0 0 0 5a598c0 0 0
5a59830 stream 0 0 0 5a599e0 0 0
5a599e0 stream 0 0 0 5a59830 0 0
5a597a0 stream 0 0 5fc4970 0 0 0 /var/run/pppconfd
5a59b00 stream 0 0 0 5a59b90 0 0
5a59b90 stream 0 0 0 5a59b00 0 0
5a59c20 stream 0 0 0 5a59cb0 0 0 /var/run/mDNSResponder
5a59cb0 stream 0 0 0 5a59c20 0 0
5a59e60 stream 0 0 0 5a59ef0 0 0
5a59ef0 stream 0 0 0 5a59e60 0 0
5a5a010 stream 0 0 0 5a59f80 0 0 /var/tmp/launchd/sock
5a59f80 stream 0 0 0 5a5a010 0 0
5a5a130 stream 0 0 0 5a5a0a0 0 0
5a5a0a0 stream 0 0 0 5a5a130 0 0
5a5a1c0 stream 0 0 0 5a5a250 0 0
5a5a250 stream 0 0 0 5a5a1c0 0 0
5a5a370 stream 0 0 0 5a5a2e0 0 0 /var/tmp/launchd/sock
5a5a2e0 stream 0 0 0 5a5a370 0 0
5a5a520 stream 0 0 0 5a5a400 0 0
5a5a400 stream 0 0 0 5a5a520 0 0
5a5a640 stream 0 0 0 5a5a490 0 0
5a5a490 stream 0 0 0 5a5a640 0 0
5a5a5b0 stream 0 0 0 5a5a6d0 0 0
5a5a6d0 stream 0 0 0 5a5a5b0 0 0
5a5a760 stream 0 0 0 5a5a7f0 0 0
5a5a7f0 stream 0 0 0 5a5a760 0 0
5a5a9a0 stream 0 0 5ce2250 0 0 0 /var/tmp/launchd/sock
5a5aa30 stream 0 0 5ce2378 0 0 0 /private/var/run/cupsd
5a5aac0 stream 0 0 5ce2534 0 0 0 /var/run/usbmuxd
5a5ab50 stream 0 0 5ce25c8 0 0 0 /var/run/asl_input
5a5ac70 stream 0 0 5ce26f0 0 0 0 /var/run/SCHelper
5a5ad00 stream 0 0 5ce2784 0 0 0 /var/run/vpncontrol.sock
5a5ad90 stream 0 0 5ce2818 0 0 0 /private/var/run/printtool
5a5ae20 stream 0 0 5ce28ac 0 0 0 /var/run/portmap.socket
5a5af40 stream 0 0 5ce2940 0 0 0 /var/run/mDNSResponder
5a5aeb0 stream 0 0 5ce29d4 0 0 0 /var/run/com.apple.ActivityMonitor.socket
8092910 dgram 0 0 0 61f4520 61f4520 0
61f4520 dgram 0 0 0 8092910 8092910 0
8092490 dgram 0 0 0 8092520 8092520 0
8092520 dgram 0 0 0 8092490 8092490 0
61f2120 dgram 0 0 0 61f2240 0 0
61f2240 dgram 0 0 84345f8 0 61f2120 0 /var/folders/uv/uvuoOJ8RHF0Vn+qu5PbLJU+++TI/-Tmp-//com.apple.notify.172.16
8092eb0 dgram 0 0 0 8092e20 8092e20 0
8092e20 dgram 0 0 0 8092eb0 8092eb0 0
8092be0 dgram 0 0 0 8092760 8092760 0
8092760 dgram 0 0 0 8092be0 8092be0 0
61f2e10 dgram 0 0 0 61f2ea0 61f2ea0 0
61f2ea0 dgram 0 0 0 61f2e10 61f2e10 0
61f3050 dgram 0 0 0 61f3290 61f3290 0
61f3290 dgram 0 0 0 61f3050 61f3050 0
5a58360 dgram 0 0 0 61f4910 61f4910 0
61f4910 dgram 0 0 0 5a58360 5a58360 0
5a58120 dgram 0 0 0 61f4010 61f4010 0
61f4010 dgram 0 0 0 5a58120 5a58120 0
61f37a0 dgram 0 0 0 5a581b0 5a581b0 0
5a581b0 dgram 0 0 0 61f37a0 61f37a0 0
5a593b0 dgram 0 0 0 61f4400 61f4400 0
61f4400 dgram 0 0 0 5a593b0 5a593b0 0
61f4490 dgram 0 0 0 61f38c0 61f38c0 0
61f38c0 dgram 0 0 0 61f4490 61f4490 0
61f4880 dgram 0 0 0 61f4760 61f4760 0
61f4760 dgram 0 0 0 61f4880 61f4880 0
61f3710 dgram 0 0 0 5a58090 5a58090 0
5a58090 dgram 0 0 0 61f3710 61f3710 0
5a59dd0 dgram 0 0 0 5a59d40 5a59d40 0
5a59d40 dgram 0 0 0 5a59dd0 5a59dd0 0
5a5abe0 dgram 0 0 5ce265c 0 0 0 /var/run/syslog
MILLENIUMs-iMac:~ MILLENIUM$

goscuter1 · Aug 28, 2012

OVERTHEMOON said:
cont...

0 /var/tmp/launchd/sock
5a5aa30 stream 0 0 5ce2378 0 0 0 /private/var/run/cupsd
5a5aac0 stream 0 0 5ce2534 0 0 0 /var/run/usbmuxd
5a5ab50 stream 0 0 5ce25c8 0 0 0 /var/run/asl_input
5a5ac70 stream 0 0 5ce26f0 0 0 0 /var/run/SCHelper
5a5ad00 stream 0 0 5ce2784 0 0 0 /var/run/vpncontrol.sock
5a5ad90 stream 0 0 5ce2818 0 0 0 /private/var/run/printtool
5a5ae20 stream 0 0 5ce28ac 0 0 0 /var/run/portmap.socket
5a5af40 stream 0 0 5ce2940 0 0 0 /var/run/mDNSResponder
5a5aeb0 stream 0 0 5ce29d4 0 0 0 /var/run/com.apple.ActivityMonitor.socket
8092910 dgram 0 0 0 61f4520 61f4520 0
61f4520 dgram 0 0 0 8092910 8092910 0
8092490 dgram 0 0 0 8092520 8092520 0
8092520 dgram 0 0 0 8092490 8092490 0
61f2120 dgram 0 0 0 61f2240 0 0
61f2240 dgram 0 0 84345f8 0 61f2120 0 /var/folders/uv/uvuoOJ8RHF0Vn+qu5PbLJU+++TI/-Tmp-//com.apple.notify.172.16
MILLENIUMs-iMac:~ MILLENIUM$

I got the same question as OP if anyone understands the OS X networking stack?

Does anyone know what's supposed to auto-load in the /var/run folder or why the sockets keep opening after I delete them?

art0ne · Apr 16, 2020

tcp6 0 0 2a07-a880-4701-1.57844 2a00:1450:400f:7.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57843 2a00:1450:400f:7.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57841 arn09s19-in-x0e..https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57830 2a00:1450:400f:7.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57823 arn09s20-in-x0e..https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57820 arn11s01-in-x01..https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57819 arn09s20-in-x16..https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57816 arn11s04-in-x0e..https ESTABLISHED

tcp4 0 0 10.128.2.161.57806 104.244.42.200.https ESTABLISHED

tcp4 0 0 10.128.2.161.57803 151.101.86.217.https ESTABLISHED

tcp4 0 0 10.128.2.161.57801 151.101.85.171.https ESTABLISHED

tcp4 0 0 10.128.2.161.57797 151.101.86.217.https ESTABLISHED

tcp4 0 0 10.128.2.161.57796 151.101.86.217.https ESTABLISHED

tcp4 0 0 10.128.2.161.57795 151.101.85.171.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57789 arn09s10-in-x0e..https ESTABLISHED

tcp4 0 0 10.128.2.161.57786 151.101.85.7.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57776 2a04:4e42:14::62.https ESTABLISHED

tcp4 0 0 10.128.2.161.57750 151.101.85.186.https ESTABLISHED

tcp6 0 0 2a07-a880-4701-1.57696 edge-star6-shv-0.https ESTABLISHED

tcp4 0 0 10.128.2.161.57695 m6135.ovs.host.fcp-add ESTABLISHED

tcp4 0 0 10.128.2.161.57636 17.57.146.132.5223 ESTABLISHED

tcp6 0 0 localhost.7505 localhost.57634 ESTABLISHED

tcp6 0 0 localhost.57634 localhost.7505 ESTABLISHED

tcp4 0 0 localhost.7506 localhost.49308 ESTABLISHED

tcp4 0 0 localhost.49308 localhost.7506 ESTABLISHED

PLEASE HELP ME

ÅPPLEASE HELP ME

Search

Search

Using Netstat To Check For Hackers

OVERTHEMOON

macrumors newbie

stuarthatto

macrumors regular

The ArchAngel

macrumors regular

OVERTHEMOON

macrumors newbie

OVERTHEMOON

macrumors newbie

goscuter1

macrumors newbie

art0ne

macrumors newbie

Our Staff