You can the following programs to find out about port numbers and its associated process:
- netstat - a command-line tool that displays network connections, routing tables, and a number of network interface statistics.
- fuser - a command line tool to identify processes using files or sockets.
- lsof - a command line tool to list open files under Linux / UNIX to report a list of all open files and the processes that opened them.
- /proc/$pid/ file system - Under Linux /proc includes a directory for each running process (including kernel processes) at /proc/PID, containing information about that process, notably including the processes name that opened port.
netstat example
Type the following command:# netstat -tulpn
Sample outputs:
Active Internet connections (only servers)TCP port 3306 was opened by mysqld process having PID # 1138. You can verify this using /proc, enter:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1138/mysqld
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 850/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1607/apache2
tcp 0 0 0.0.0.0:55091 0.0.0.0:* LISTEN 910/rpc.statd
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1467/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 992/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1565/cupsd
tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN 3813/transmission
tcp6 0 0 :::22 :::* LISTEN 992/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1565/cupsd
tcp6 0 0 :::7000 :::* LISTEN 3813/transmission
udp 0 0 0.0.0.0:111 0.0.0.0:* 850/portmap
udp 0 0 0.0.0.0:662 0.0.0.0:* 910/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1467/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1467/dnsmasq
udp 0 0 0.0.0.0:68 0.0.0.0:* 3697/dhclient
udp 0 0 0.0.0.0:7000 0.0.0.0:* 3813/transmission
udp 0 0 0.0.0.0:54746 0.0.0.0:* 910/rpc.statd
# ls -l /proc/1138/exe
Sample outputs:
lrwxrwxrwx 1 root root 0 2010-10-29 10:20 /proc/1138/exe -> /usr/sbin/mysqldYou can use grep command to filter out information:
# netstat -tulpn | grep :80
Sample outputs:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1607/apache2
fuser command
Find out the processes PID that opened tcp port 7000, enter:# fuser 7000/tcp
Sample outputs:
7000/tcp: 3813Finally, find out process name associated with PID # 3813, enter:
# ls -l /proc/3813/exe
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 11:00 /proc/3813/exe -> /usr/bin/transmission/usr/bin/transmission is a bittorrent client, enter:
# man transmission
OR
# whatis transmission
Sample outputs:
transmission (1) - a bittorrent client
Task: Find Out Current Working Directory Of a Process
To find out current working directory of a process called bittorrent or pid 3813, enter:# ls -l /proc/3813/cwd
Sample outputs:
lrwxrwxrwx 1 vivek vivek 0 2010-10-29 12:04 /proc/3813/cwd -> /home/vivek
OR use pwdx command, enter:# pwdx 3813
Sample outputs:
3813: /home/vivek
Task: Find Out Owner Of a Process
Use the following command to find out the owner of a process PID called 3813:# ps aux | grep 3813
OR
# ps aux | grep '[3]813'
Sample outputs:
vivek 3813 1.9 0.3 188372 26628 ? Sl 10:58 2:27 transmissionOR try the following ps command:
# ps -eo pid,user,group,args,etime,lstart | grep '[3]813'
Sample outputs:
3813 vivek vivek transmission 02:44:05 Fri Oct 29 10:58:40 2010Another option is /proc/$PID/environ, enter:
# cat /proc/3813/environ
OR
# grep --color -w -a USER /proc/3813/environ
Sample outputs (note --colour option):
lsof Command Example
Type the command as follows:lsof -i :portNumberSample outputs:
lsof -i tcp:portNumber
lsof -i udp:portNumber
lsof -i :80
lsof -i :80 | grep LISTEN
apache2 1607 root 3u IPv4 6472 0t0 TCP *:www (LISTEN)Now, you get more information about pid # 1607 or 1616 and so on:
apache2 1616 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
apache2 1617 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
apache2 1618 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
apache2 1619 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
apache2 1620 www-data 3u IPv4 6472 0t0 TCP *:www (LISTEN)
# ps aux | grep '[1]616'
Sample outputs:
www-data 1616 0.0 0.0 35816 3880 ? S 10:20 0:00 /usr/sbin/apache2 -k start
I recommend the following command to grab info about pid # 1616:
# ps -eo pid,user,group,args,etime,lstart | grep '[1]616'
Sample outputs:
1616 www-data www-data /usr/sbin/apache2 -k start 03:16:22 Fri Oct 29 10:20:17 2010Where,
- 1616 : PID
- www-date : User name (owner - EUID)
- www-date : Group name (group - EGID)
- /usr/sbin/apache2 -k start : The command name and its args
- 03:16:22 : Elapsed time since the process was started, in the form [[dd-]hh:]mm:ss.
- Fri Oct 29 10:20:17 2010 : Time the command started.
Help: I Discover an Open Port Which I Don't Recognize At All
The file /etc/services is used to map port numbers and protocols to service names. Try matching port numbers:$ grep port /etc/services
$ grep 443 /etc/services
Sample outputs:
https 443/tcp # http protocol over TLS/SSL
https 443/udp
Check For rootkit
I strongly recommend that you find out which processes are really running, especially servers connected to the high speed Internet access. You can look for rootkit which is a program designed to take fundamental control (in Linux / UNIX terms "root" access, in Windows terms "Administrator" access) of a computer system, without authorization by the system's owners and legitimate managers. See how to detecting / checking rootkits under Linux.Keep an Eye On Your Bandwidth Graphs
Usually, rooted servers are used to send a large number of spam or malware or DoS style attacks on other computers.See also:
See the following man pages for more information:$ man ps
$ man grep
$ man lsof
$ man netstat
$ man fuser
No comments:
Post a Comment