Using Netstat (within Network Utility), I discovered an unusual IP address — this IP address occasionally uses 9 different open ports, including ports 9998 and 9999. I also did an Zenmap scan, and it said the service name for port 9999 is "abyss" — I looked up this up, and apparently it is a malicious service.
The unusual IP address appeared within the Netstat option, "Display the state of all current socket connections". The IP address does not appear to be associated with any applications on my computer (e.g. it isn't from Apple, Amazon, etc.)
The unusual IP address appears to be using the following open ports: 22, 80, 110, 143, 443, 993, 995, 9998 and 9999. Apparently ports 80 and 443 use the "http" service.
I've been trying to figure out how to close these open ports, but I can't figure out how; it is very frustrating. I'm using Mac OS Sierra. The "lsof" command in terminal doesn't work. I type in lsof (for example, lsof -i:9999) and nothing happens. Is there a terminal command (other than lsof) than can close open ports?
One option which doesn't work is the "tcpkill" command, which apparently can close TCP ports, but it must be downloaded and I can't figure out how to download it.
Also, is there a Mac program that specifically closes open ports?
It's really annoying that programs like Network Utility (Netstat) and Zenmap tell you what ports are open, but then don't tell you how to close them.
Also, is there a way to blacklist (block) a specific IP address so that it can't connect? (Can it be done in terminal?) This would be useful for ports that I probably want to keep open (such as port 80) but want to block a specific IP address from connecting to it.
Edit: I discovered that the unusual IP address is a Tor IP address, and it only occurs when I use Tor Browser — however, it is not associated with any of the Tor "nodes" I am currently using, which is weird. When I say that the IP address is "using" a TCP port, what I mean the following: within Netstat (and using the "Display the state of all current socket connections" option), in the "Foreign Address" column, the mysterious Tor IP address appears — and in the (state) column, it says "ESTABLISHED" (meaning, an established connection). The Tor IP address appears to be using port 9999. I also occasionally see a second mysterious Tor IP address in the "Foreign Address" column. That entity uses "http" (not "https"), which is also weird.
Also, as I said earlier, the mysterious Tor IP address appears to be using a number of other ports on my computer, such as ports 80, 443, and 9998. I will use lsof to try and stop the port 9999 process.
Best Answer
Ports on macos only open when a process requests to listen on that port.
First order of business is to list the process tree and hope one single running process has that port open.
Should that fail, now you have a special helper process that will register non-running processes that get woken or spawned when packets come in for them. This process is
launchdThink of it like a doorman that lets the system idle until a process is needed to handle something over its registered ports.Since your question has about five sub questions, let’s leave this small answer to a very large question and perhaps you can ask a follow up question detailing how to learn launchd and where it stores it’s configurations. That alone would be a couple times larger than your original post. As is a summary of firewall operations. Each of these depend on specific MacOS versions for the details that are relevant.
To summarize, you close a TCP or UDP port by identifying the process that opened it and stopping that process or changing the configuration file that tells
launchdto listen as a proxy.