Re: finding a process that bind a spcific port
Perhaps in your haste, you missed something.
If I run netstat -anpe as a user I get this specific message and the PID column is populated with only a "-" for all entries, just like you showed.
I.E.
netstat -anpe |grep udp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
udp 0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 -
see the message?
However, running "sudo netstat -anpe |grep udp" actually displays the PID/Binary
udp 0 0 0.0.0.0:631 0.0.0.0:* 0 5285429 3334/cupsd
The Process ID is what you are supposed to use to match a socket to the binary that opened it.
**Try "sudo netstat -anpeev"
You can also try to fine the inode. Though, it is a large number and you may not find it on disk.
**Also, try "find / -inum 5950269 -print"
You might also try starting a packet capture and removing the firewall. After a bit kill the packet capture and see what Wireshark tells you.
**"sudo tcpdump -i eth0? -nASs0 -c 500 -w `hostname`-`date +%F-%H%M`.pcap port 10001" This will automatically stop after 500 packets to/from port 10001.
On Wed, 2014-01-22 at 13:20 +0100, Nico Angenon wrote:
Hello,
i think i’ve been hacked on one of my boxes...
I try to find with process bind a specific port :
# netstat -anpe |grep udp
gives me
udp 0 0 0.0.0.0:10001 0.0.0.0:* 0 5950269 -
but
# lsof |grep 10001
doesn’t show me anything
i’ve tried to cat /proc/*/cmdline... no 10001 found
no 10001 in ‘ps aux’
no 10001 in ‘rpcinfo –p’
any idea ?
Thanks
Nico
Reply to: