Re: process identification
From: Ivan Andres Hernandez Puga (ivan.hernandez_at_globalsis.com.ar)
Date: 05/03/04
- Previous message: Stijn De Weirdt: "Re: process identification"
- In reply to: Stijn De Weirdt: "process identification"
- Next in thread: Stijn De Weirdt: "Re: process identification"
- Reply: Stijn De Weirdt: "Re: process identification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 May 2004 14:28:30 -0300 To: Stijn De Weirdt <stdweird@carl.ugent.be>
The lsof program shows all that process and the open ports/files
lsof |grep LIST
will do the work
Stijn De Weirdt wrote:
>hello,
>
>i have a computer that has been (succesfully :( ) attacked, and i'm
>currently checking how 'they' did it. the computer has an open port with a
>listening ftp-server, but there is no matching PID with netstat. so here's
>the question: how do i get the process-id?
>
>some data:
>the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)
>
>'netstat -vapt' output:
>Proto Recv-Q Send-Q Local Address Foreign Address State
>PID/Program name
>tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN
>-
>
>(denote the last -)
>
> nmap -p 81 (from another machine) gives
>Port State Service
>81/tcp filtered hosts2-ns
>
>but telnet from the same machine gives (partly)
>220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.
>
>the ftp-server seems very highly modified, meaning that
>1. there isn't supposed to run one on that computer (but there is one
>installed)
>2. doesn't recognise any commands like cd, ls, get,put, login...
>
>currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it
>in a few days, but any advice on how to look for the server process is
>handy. i have root access to the machine, so that's no problem.
>
>many thanks
>stijn
>
>---------------------------------------------------------------------------
>Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
>any course! All of our class sizes are guaranteed to be 10 students or less
>to facilitate one-on-one interaction with one of our expert instructors.
>Attend a course taught by an expert instructor with years of in-the-field
>pen testing experience in our state of the art hacking lab. Master the skills
>of an Ethical Hacker to better assess the security of your organization.
>Visit us at:
>http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>----------------------------------------------------------------------------
>
>
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Stijn De Weirdt: "Re: process identification"
- In reply to: Stijn De Weirdt: "process identification"
- Next in thread: Stijn De Weirdt: "Re: process identification"
- Reply: Stijn De Weirdt: "Re: process identification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
