[alcimedes]

A friend stumped me with this, hoping someone here will know.

We were talking about UDP and wireless (random, unrelated story about whether wireless connections drop too many UDP packets) and noticed something weird in his Netstat info.

There are entries for a porn site in there, which I'm assuming shouldn't exist.

Code:

tcp4 0 0 motherless.com.postgre *.* LISTEN tcp6 0 0 localhost.postgres *.* LISTEN tcp6 0 0 localhost.postgres *.* LISTEN tcp4 0 0 motherless.com.ipp *.* LISTEN tcp6 0 0 localhost.ipp *.* LISTEN udp4 0 0 motherless.com.ipsec-m *.* udp4 0 0 motherless.com.isakmp *.* udp4 0 0 motherless.com.ntp *.*

The local host ones of course look normal, but there are these random ones scattered in there. A reboot did nothing, and Little Snitch didn't pick up any traffic regarding the site. (although I might need to just nuke the rules he's using, but there was nothing that looked like it would allow traffic in/out there)

So my question is, is there a specific location where files would exist to create an open port, or could they be anywhere? I told him to just nuke the box and start over, but now I'm wondering if there would have been any way to find out what was establishing the socket connection.

[ShadowOfGed]

A program called "lsof" will list all open files / file descriptors on the system. Sockets are file descripors, so you'd have been able to identify the offending process(es) by running that. To view such data for all users, you'd obviously need to run it as root.

[alcimedes]

Turns out he had a bad hosts file of all things. Someone had tried to help him block out domains, but had instead listed multiple domains as his home. (127.0.0.1)

Problem solved!