Using Netstat To Check For Hackers

Discussion in 'macOS' started by OVERTHEMOON, May 15, 2010.

  1. OVERTHEMOON macrumors newbie

    Joined:
    May 15, 2010
    #1
    I've got a very slow 2.8 GHz Intel Core 2 Duo 24" with 2 GB 667 MHz DDR2 SDRAM 0 - IT WASN'T ALWAYS THIS SLOW !!! Being the paranoid guy that I am - I've run Kaspersky and MACSCAN without detecting any threats.

    So - I've done a NETSTAT to see how many connections are running and there's loads of them !!!!! I DONT HAVE PROGRAMS RUNNING IN THE BACKGROUND THAT I'M AWARE OF ie: P2P or Chat or Anything !

    Web pages and applications are running slow - I'm just wondering if I've been hacked?

    Anyone got any ideas PLEASE ?
     
  2. stuarthatto macrumors regular

    Joined:
    Nov 5, 2008
    #2
  3. The ArchAngel macrumors regular

    Joined:
    Jun 23, 2008
    #3
    Restart your machine, let it run for 20 minutes with nothing open, then run "netstat -a" and print the results here. If it is clocking and taking forever to run, try adding the -n switch. I believe on a base, clean Mac OS install with no other server-side services running, you should only see the machine listening on 631 for CUPS. (Feel free to correct me if I'm wrong.)
     
  4. OVERTHEMOON thread starter macrumors newbie

    Joined:
    May 15, 2010
    #4
    MILLENIUMs-iMac:~ MILLENIUM$ netstat -a
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q Local Address Foreign Address (state)
    tcp4 0 0 192.168.1.33.49857 192.168.1.1.http ESTABLISHED
    tcp4 0 0 *.netmagic *.* LISTEN
    tcp4 0 0 192.168.1.33.49856 cdce-vip.bsn002..http ESTABLISHED
    tcp4 0 0 *.kerberos *.* LISTEN
    tcp6 0 0 *.kerberos *.* LISTEN
    tcp4 0 0 localhost.64000 *.* LISTEN
    tcp4 0 0 *.afpovertcp *.* LISTEN
    tcp6 0 0 *.afpovert *.* LISTEN
    tcp4 0 0 localhost.ipp *.* LISTEN
    tcp6 0 0 localhost.ipp *.* LISTEN
    tcp4 0 0 192.168.1.33.49855 192.168.1.1.http TIME_WAIT
    udp4 0 0 *.netmagic *.*
    udp4 0 0 10.37.129.2.kerberos *.*
    udp4 0 0 10.211.55.2.kerberos *.*
    udp4 0 0 192.168.1.33.kerberos *.*
    udp6 0 0 *.kerberos *.*
    udp6 0 0 *.57456 *.*
    udp4 0 0 *.57456 *.*
    udp6 0 0 *.54585 *.*
    udp4 0 0 *.54585 *.*
    udp6 0 0 *.61426 *.*
    udp4 0 0 *.61426 *.*
    udp6 0 0 *.53414 *.*
    udp4 0 0 *.53414 *.*
    udp6 0 0 *.54561 *.*
    udp4 0 0 *.54561 *.*
    udp6 0 0 *.61182 *.*
    udp4 0 0 *.61182 *.*
    udp6 0 0 *.49563 *.*
    udp4 0 0 *.49563 *.*
    udp6 0 0 *.53031 *.*
    udp4 0 0 *.53031 *.*
    udp6 0 0 *.57889 *.*
    udp4 0 0 *.57889 *.*
    udp6 0 0 *.53238 *.*
    udp4 0 0 *.53238 *.*
    udp6 0 0 *.52967 *.*
    udp4 0 0 *.52967 *.*
    udp6 0 0 *.64935 *.*
    udp4 0 0 *.64935 *.*
    udp6 0 0 *.58667 *.*
    udp4 0 0 *.58667 *.*
    udp6 0 0 *.55186 *.*
    udp4 0 0 *.55186 *.*
    udp6 0 0 *.53344 *.*
    udp4 0 0 *.53344 *.*
    udp4 0 0 *.ipp *.*
    udp4 0 0 192.168.1.33.ntp *.*
    udp6 0 0 milleniums-imac.ntp *.*
    udp4 0 0 *.* *.*
    udp4 0 0 *.* *.*
    udp4 0 0 localhost.64000 *.*
    udp4 0 0 10.37.129.2.ntp *.*
    udp4 0 0 10.211.55.2.ntp *.*
    udp4 0 0 localhost.ntp *.*
    udp6 0 0 localhost.ntp *.*
    udp6 0 0 localhost.ntp *.*
    udp6 0 0 *.ntp *.*
    udp4 0 0 *.ntp *.*
    udp6 0 0 *.mdns *.*
    udp4 0 0 *.mdns *.*
    udp4 0 0 *.* *.*
    udp4 0 0 *.* *.*
    icm6 0 0 *.* *.*
    Active LOCAL (UNIX) domain sockets
    Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
    8092c70 stream 0 0 0 5a58a20 0 0 /var/run/mDNSResponder
    5a58a20 stream 0 0 0 8092c70 0 0
    8092f40 stream 0 0 0 5a58630 0 0 /tmp/NMADMB.s
    5a58630 stream 0 0 0 8092f40 0 0
    5a58990 stream 0 0 0 61f47f0 0 0
    61f47f0 stream 0 0 0 5a58990 0 0
    8092d00 stream 0 0 63173a8 0 0 0 /tmp/NMADMB.s
    61f4640 stream 0 0 631743c 0 0 0 /tmp/NMADUA.s
    61f27e0 stream 0 0 0 61f2000 0 0 /var/run/mDNSResponder
    61f2000 stream 0 0 0 61f27e0 0 0
    61f3170 stream 0 0 0 61f4d00 0 0 /private/var/run/cupsd
    61f4d00 stream 0 0 0 61f3170 0 0
    5a59440 stream 0 0 0 5a58750 0 0 /tmp/launchd-167.p0nKTX/sock
    5a58750 stream 0 0 0 5a59440 0 0
    5a58510 stream 0 0 0 61f3200 0 0
    61f3200 stream 0 0 0 5a58510 0 0
    61f4250 stream 0 0 0 61f49a0 0 0 /var/run/mDNSResponder
    61f49a0 stream 0 0 0 61f4250 0 0
    80929a0 stream 0 0 0 61f2a20 0 0 /var/run/mDNSResponder
    61f2a20 stream 0 0 0 80929a0 0 0
    61f35f0 stream 0 0 0 61f2630 0 0 /var/tmp/launchd/sock
    61f2630 stream 0 0 0 61f35f0 0 0
    61f3830 stream 0 0 0 61f3440 0 0
    61f3440 stream 0 0 0 61f3830 0 0
    61f23f0 stream 0 0 0 0 0 0
    61f42e0 stream 0 0 0 5a58fc0 0 0 /var/tmp/launchd/sock
    5a58fc0 stream 0 0 0 61f42e0 0 0
    5a587e0 stream 0 0 0 8092d90 0 0
    8092d90 stream 0 0 0 5a587e0 0 0
    61f3dd0 stream 0 0 0 5a585a0 0 0 /var/run/mDNSResponder
    5a585a0 stream 0 0 0 61f3dd0 0 0
    61f2090 stream 0 0 0 61f2990 0 0 /var/run/mDNSResponder
    61f2990 stream 0 0 0 61f2090 0 0
    80925b0 stream 0 0 0 8092640 0 0 /var/run/mDNSResponder
    8092640 stream 0 0 0 80925b0 0 0
    80926d0 stream 0 0 0 61f25a0 0 0 /tmp/kav_sockets/PRRemote:202202
    61f25a0 stream 0 0 0 80926d0 0 0
    61f2480 stream 0 0 0 61f2360 0 0 /tmp/kav_sockets/PRRemote:5757
    61f2360 stream 0 0 0 61f2480 0 0
    61f2b40 stream 0 0 0 61f2750 0 0 /var/run/com.sophos.sau.ipc
    61f2750 stream 0 0 0 61f2b40 0 0
    61f2ab0 stream 0 0 0 61f26c0 0 0 /var/run/com.sophos.sav.ic.ipc
    61f26c0 stream 0 0 0 61f2ab0 0 0
    61f39e0 stream 0 0 0 61f3560 0 0 /var/run/com.sophos.sav.ic.ipc
    61f3560 stream 0 0 0 61f39e0 0 0
    61f3b90 stream 0 0 0 61f4130 0 0 /var/run/usbmuxd
    61f4130 stream 0 0 0 61f3b90 0 0
    61f21b0 stream 0 0 0 61f3a70 0 0 /var/run/mDNSResponder
    61f3a70 stream 0 0 0 61f21b0 0 0
    61f2510 stream 0 0 0 61f22d0 0 0 /var/run/mDNSResponder
    61f22d0 stream 0 0 0 61f2510 0 0
    61f2900 stream 0 0 81f5d4c 0 0 0 /tmp/kav_sockets/PRRemote:202202
    61f2c60 stream 0 0 0 61f2bd0 0 0
    61f2bd0 stream 0 0 0 61f2c60 0 0
    61f2cf0 stream 0 0 0 61f2d80 0 0 /var/run/mDNSResponder
    61f2d80 stream 0 0 0 61f2cf0 0 0
    61f2f30 stream 0 0 0 61f2fc0 0 0 /var/run/mDNSResponder
    61f2fc0 stream 0 0 0 61f2f30 0 0
    61f4d90 stream 0 0 7d815f8 0 0 0 /tmp/icssuis501
    5a58ea0 stream 0 0 0 61f30e0 0 0
    61f30e0 stream 0 0 0 5a58ea0 0 0
    61f3320 stream 0 0 0 61f33b0 0 0
    61f33b0 stream 0 0 0 61f3320 0 0
    5a58900 stream 0 0 0 5a58c60 0 0
    5a58c60 stream 0 0 0 5a58900 0 0
    5a58000 stream 0 0 7c9e0c4 0 0 0 /tmp/launch-7KKXJM/org.x:0
    5a590e0 stream 0 0 7c9e1ec 0 0 0 /tmp/launch-DUNriv/Listeners
    5a586c0 stream 0 0 7c9e314 0 0 0 /tmp/launch-yKVREs/Render
    5a59200 stream 0 0 7c9e848 0 0 0 /tmp/launchd-167.p0nKTX/sock
    5a5a880 stream 0 0 0 5a5a910 0 0
    5a5a910 stream 0 0 0 5a5a880 0 0
    61f4b50 stream 0 0 7a07ea4 0 0 0 /var/run/com.sophos.sav.ic.ipc
    5a58240 stream 0 0 7a07f38 0 0 0 /var/run/com.sophos.sav.ic.ipcs
    61f4a30 stream 0 0 0 0 0 0
    61f3cb0 stream 0 0 0 61f45b0 0 0
    61f45b0 stream 0 0 0 61f3cb0 0 0
    61f3ef0 stream 0 0 0 61f4370 0 0
    61f4370 stream 0 0 0 61f3ef0 0 0
    5a59a70 stream 0 0 0 5a59950 0 0
    5a59950 stream 0 0 0 5a59a70
     
  5. OVERTHEMOON thread starter macrumors newbie

    Joined:
    May 15, 2010
    #5
    cont...

    0 0
    5a58ab0 stream 0 0 6d2bd4c 0 0 0 /tmp/kav_sockets/PRRemote:5757
    61f3d40 stream 0 0 6c810c4 0 0 0 /var/run/com.sophos.sau.ipc
    5a582d0 stream 0 0 6c81158 0 0 0 /var/run/com.sophos.sau.ipcs
    5a59320 stream 0 0 6c38a04 0 0 0 /var/run/com.sophos.sav.ipcs
    5a58e10 stream 0 0 6c38a98 0 0 0 /var/run/com.sophos.sav.ipc
    5a58bd0 stream 0 0 0 5a59290 0 0 /var/run/mDNSResponder
    5a59290 stream 0 0 0 5a58bd0 0 0
    5a59170 stream 0 0 0 61f3680 0 0 /var/run/mDNSResponder
    61f3680 stream 0 0 0 5a59170 0 0
    5a58870 stream 0 0 0 5a59050 0 0 /var/run/mDNSResponder
    5a59050 stream 0 0 0 5a58870 0 0
    61f41c0 stream 0 0 0 61f3c20 0 0
    61f3c20 stream 0 0 0 61f41c0 0 0
    61f4be0 stream 0 0 0 61f4c70 0 0
    61f4c70 stream 0 0 0 61f4be0 0 0
    61f4e20 stream 0 0 0 61f4eb0 0 0
    61f4eb0 stream 0 0 0 61f4e20 0 0
    5a583f0 stream 0 0 0 5a58480 0 0
    5a58480 stream 0 0 0 5a583f0 0 0
    5a58cf0 stream 0 0 0 5a58d80 0 0
    5a58d80 stream 0 0 0 5a58cf0 0 0
    5a594d0 stream 0 0 0 5a595f0 0 0
    5a595f0 stream 0 0 0 5a594d0 0 0
    5a59560 stream 0 0 0 5a59680 0 0
    5a59680 stream 0 0 0 5a59560 0 0
    5a598c0 stream 0 0 0 5a59710 0 0
    5a59710 stream 0 0 0 5a598c0 0 0
    5a59830 stream 0 0 0 5a599e0 0 0
    5a599e0 stream 0 0 0 5a59830 0 0
    5a597a0 stream 0 0 5fc4970 0 0 0 /var/run/pppconfd
    5a59b00 stream 0 0 0 5a59b90 0 0
    5a59b90 stream 0 0 0 5a59b00 0 0
    5a59c20 stream 0 0 0 5a59cb0 0 0 /var/run/mDNSResponder
    5a59cb0 stream 0 0 0 5a59c20 0 0
    5a59e60 stream 0 0 0 5a59ef0 0 0
    5a59ef0 stream 0 0 0 5a59e60 0 0
    5a5a010 stream 0 0 0 5a59f80 0 0 /var/tmp/launchd/sock
    5a59f80 stream 0 0 0 5a5a010 0 0
    5a5a130 stream 0 0 0 5a5a0a0 0 0
    5a5a0a0 stream 0 0 0 5a5a130 0 0
    5a5a1c0 stream 0 0 0 5a5a250 0 0
    5a5a250 stream 0 0 0 5a5a1c0 0 0
    5a5a370 stream 0 0 0 5a5a2e0 0 0 /var/tmp/launchd/sock
    5a5a2e0 stream 0 0 0 5a5a370 0 0
    5a5a520 stream 0 0 0 5a5a400 0 0
    5a5a400 stream 0 0 0 5a5a520 0 0
    5a5a640 stream 0 0 0 5a5a490 0 0
    5a5a490 stream 0 0 0 5a5a640 0 0
    5a5a5b0 stream 0 0 0 5a5a6d0 0 0
    5a5a6d0 stream 0 0 0 5a5a5b0 0 0
    5a5a760 stream 0 0 0 5a5a7f0 0 0
    5a5a7f0 stream 0 0 0 5a5a760 0 0
    5a5a9a0 stream 0 0 5ce2250 0 0 0 /var/tmp/launchd/sock
    5a5aa30 stream 0 0 5ce2378 0 0 0 /private/var/run/cupsd
    5a5aac0 stream 0 0 5ce2534 0 0 0 /var/run/usbmuxd
    5a5ab50 stream 0 0 5ce25c8 0 0 0 /var/run/asl_input
    5a5ac70 stream 0 0 5ce26f0 0 0 0 /var/run/SCHelper
    5a5ad00 stream 0 0 5ce2784 0 0 0 /var/run/vpncontrol.sock
    5a5ad90 stream 0 0 5ce2818 0 0 0 /private/var/run/printtool
    5a5ae20 stream 0 0 5ce28ac 0 0 0 /var/run/portmap.socket
    5a5af40 stream 0 0 5ce2940 0 0 0 /var/run/mDNSResponder
    5a5aeb0 stream 0 0 5ce29d4 0 0 0 /var/run/com.apple.ActivityMonitor.socket
    8092910 dgram 0 0 0 61f4520 61f4520 0
    61f4520 dgram 0 0 0 8092910 8092910 0
    8092490 dgram 0 0 0 8092520 8092520 0
    8092520 dgram 0 0 0 8092490 8092490 0
    61f2120 dgram 0 0 0 61f2240 0 0
    61f2240 dgram 0 0 84345f8 0 61f2120 0 /var/folders/uv/uvuoOJ8RHF0Vn+qu5PbLJU+++TI/-Tmp-//com.apple.notify.172.16
    8092eb0 dgram 0 0 0 8092e20 8092e20 0
    8092e20 dgram 0 0 0 8092eb0 8092eb0 0
    8092be0 dgram 0 0 0 8092760 8092760 0
    8092760 dgram 0 0 0 8092be0 8092be0 0
    61f2e10 dgram 0 0 0 61f2ea0 61f2ea0 0
    61f2ea0 dgram 0 0 0 61f2e10 61f2e10 0
    61f3050 dgram 0 0 0 61f3290 61f3290 0
    61f3290 dgram 0 0 0 61f3050 61f3050 0
    5a58360 dgram 0 0 0 61f4910 61f4910 0
    61f4910 dgram 0 0 0 5a58360 5a58360 0
    5a58120 dgram 0 0 0 61f4010 61f4010 0
    61f4010 dgram 0 0 0 5a58120 5a58120 0
    61f37a0 dgram 0 0 0 5a581b0 5a581b0 0
    5a581b0 dgram 0 0 0 61f37a0 61f37a0 0
    5a593b0 dgram 0 0 0 61f4400 61f4400 0
    61f4400 dgram 0 0 0 5a593b0 5a593b0 0
    61f4490 dgram 0 0 0 61f38c0 61f38c0 0
    61f38c0 dgram 0 0 0 61f4490 61f4490 0
    61f4880 dgram 0 0 0 61f4760 61f4760 0
    61f4760 dgram 0 0 0 61f4880 61f4880 0
    61f3710 dgram 0 0 0 5a58090 5a58090 0
    5a58090 dgram 0 0 0 61f3710 61f3710 0
    5a59dd0 dgram 0 0 0 5a59d40 5a59d40 0
    5a59d40 dgram 0 0 0 5a59dd0 5a59dd0 0
    5a5abe0 dgram 0 0 5ce265c 0 0 0 /var/run/syslog
    MILLENIUMs-iMac:~ MILLENIUM$
     
  6. goscuter1 macrumors newbie

    Joined:
    Dec 13, 2011
    #6
    I got the same question as OP if anyone understands the OS X networking stack?

    Does anyone know what's supposed to auto-load in the /var/run folder or why the sockets keep opening after I delete them?
     

Share This Page