Re: process identification

From: Ivan Andres Hernandez Puga (ivan.hernandez_at_globalsis.com.ar)
Date: 05/03/04

  • Next message: Jennifer Fountain: "Wireless LAN Security for Warehouse"
    Date: Mon, 03 May 2004 14:28:30 -0300
    To: Stijn De Weirdt <stdweird@carl.ugent.be>
    
    

    The lsof program shows all that process and the open ports/files
    lsof |grep LIST
    will do the work
    Stijn De Weirdt wrote:

    >hello,
    >
    >i have a computer that has been (succesfully :( ) attacked, and i'm
    >currently checking how 'they' did it. the computer has an open port with a
    >listening ftp-server, but there is no matching PID with netstat. so here's
    >the question: how do i get the process-id?
    >
    >some data:
    >the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)
    >
    >'netstat -vapt' output:
    >Proto Recv-Q Send-Q Local Address Foreign Address State
    >PID/Program name
    >tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN
    >-
    >
    >(denote the last -)
    >
    > nmap -p 81 (from another machine) gives
    >Port State Service
    >81/tcp filtered hosts2-ns
    >
    >but telnet from the same machine gives (partly)
    >220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.
    >
    >the ftp-server seems very highly modified, meaning that
    >1. there isn't supposed to run one on that computer (but there is one
    >installed)
    >2. doesn't recognise any commands like cd, ls, get,put, login...
    >
    >currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it
    >in a few days, but any advice on how to look for the server process is
    >handy. i have root access to the machine, so that's no problem.
    >
    >many thanks
    >stijn
    >
    >---------------------------------------------------------------------------
    >Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    >any course! All of our class sizes are guaranteed to be 10 students or less
    >to facilitate one-on-one interaction with one of our expert instructors.
    >Attend a course taught by an expert instructor with years of in-the-field
    >pen testing experience in our state of the art hacking lab. Master the skills
    >of an Ethical Hacker to better assess the security of your organization.
    >Visit us at:
    >http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    >----------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Jennifer Fountain: "Wireless LAN Security for Warehouse"