# Strange user SS visible during sockstat -4 -l



## mar.gorski (Aug 3, 2020)

Hello,
When I display sockstat listen command I can see a very different user SS listed on a list of active services.

```
# sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
SS
proxy    ftp-proxy  67974 3  tcp4   127.0.0.1:8021        *:*
(... more services below ...)
```
I scanned the system using chkrootkit to look for a potential rootkit, but nothing has been found. What might be that? Is this a correct and valid state of running FreeBSD 12.1 server installation?

The user is listed, but it has no command and no PID. I also don't see any user like that in my /etc/passwd. After reboot process sometimes disappear and I don't always see SS on the list of running services. The kernel level security is 3.

I also checked different FreeBSD 12.1 installation on VirtualBox and I don't have SS user on sockstat -4 -l list.

What is SS? Should I care? What tools do you use to scan for rootkits beside a chkrootkit (maybe it is outdated and should not be used in 2020)?

Regards,
Marcin


----------



## AngryChris (Aug 3, 2020)

mar.gorski said:


> Hello,
> When I display sockstat listen command I can see a very different user SS listed on a list of active services.
> 
> ```
> ...


Are you sure you've not narrowed your terminal to 71 columns wide? If you do that, the "SS" at the end of "ADDRESS" wraps around to the next line.


----------



## mar.gorski (Aug 3, 2020)

Yeah this is it: optical illusion.  Maybe the question should be deleted because it's too trivial.


----------



## richardtoohey2 (Aug 3, 2020)

mar.gorski said:


> Maybe the question should be deleted because it's too trivial.


It might help someone in the future.

What one of us does today, another might do in the future.


----------

