Re: finding a process that bind a spcific port

[Matthew Babcock <MBabcock@AandRSecurity.com>]

Perhaps in your haste, you missed something.

If I run netstat -anpe as a user I get this specific message and the PID column is populated with only a "-" for all entries, just like you showed.

I.E.

netstat -anpe |grep udp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          5285429     -               

see the message? 

However, running "sudo netstat -anpe |grep udp" actually displays the PID/Binary
udp        0      0 0.0.0.0:631             0.0.0.0:*                           0          5285429     3334/cupsd      


The Process ID is what you are supposed to use to match a socket to the binary that opened it.


**Try "sudo netstat -anpeev"


You can also try to fine the inode. Though, it is a large number and you may not find it on disk.

**Also, try "find / -inum 5950269 -print"


You might also try starting a packet capture and removing the firewall. After a bit kill the packet capture and see what Wireshark tells you.

**"sudo tcpdump -i eth0? -nASs0 -c 500 -w `hostname`-`date +%F-%H%M`.pcap port 10001" This will automatically stop after 500 packets to/from port 10001.




On Wed, 2014-01-22 at 13:20 +0100, Nico Angenon wrote:
>     Hello,
>      
>     i think i’ve been hacked on one of my boxes... 
>      
>     I try to find with process bind a specific port :
>      
>     # netstat -anpe |grep udp
>     gives me
>     udp        0      0 0.0.0.0:10001           0.0.0.0:*                           0          5950269     -
>      
>      
>     but 
>     # lsof |grep 10001
>     doesn’t show me anything
>      
>     i’ve  tried  to cat /proc/*/cmdline... no 10001 found
>     no 10001 in ‘ps aux’
>     no 10001 in ‘rpcinfo –p’
>      
>     any idea ?
>      
>     Thanks 
>     Nico