How to close suspicious port 999 garcon, is it malware?

4

On Mac OSX, I ran the command nmap localhost and I found I have this suspicious open port:

999/tcp open garcon

Then I tried to see if there is an associated process, but nothing shows up with lsof -i | grep 999.

Two questions:

  • Does any body know if this is could be a key-logger/trojan?
  • How can I close the port?

[Edit] The right command is

sudo lsof -i :999

and then I can see the process

rpc.rquot 704 root 6u IPv4 0xc899fa4ad7097125 0t0 TCP *:garcon (LISTEN)

Now after reading http://linux.die.net/man/8/rpc.rquotad
I suspect that maybe is a port open by fuse4x, or fuse4x-kext

f0nz

Posted 2013-06-06T15:11:52.357

Reputation: 141

Malware can use any name it wants, however there is at least one program named garcon which is not malware.

Cat /var/db/pkg/garcon-0.2.1/+DESC Garcon is an implementation of the freedesktop.org menu specification replacing the former Xfce menu library libxfce4menu. It is based on GLib/GIO only and aims at covering the entire specification except for legacy menus.

WWW: http://www.xfce.org/

– Hennes – 2013-06-06T16:11:55.707

Answers

1

The name you see actually comes from /etc/services file which maps port numbers to well-known service names.

glad the lsof command worked.

strobelight

Posted 2013-06-06T15:11:52.357

Reputation: 473

Asked: 2013-06-06T15:11:52.357

Viewed: 8 834 times

Active: 2016-09-21T23:05:14.000