Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: process identification

From: Stijn De Weirdt <stdweird () carl ugent be>
Date: Mon, 3 May 2004 19:39:38 +0200 (CEST)
i'm sorry, but i can't find the bad one. i've compared (and included) 
both the lsof and netstat results, and still nothing:


lsof | grep LIST:

COMMAND     PID     USER   FD   TYPE     DEVICE     SIZE       NODE NAME

portmap     841      rpc    4u  IPv4       3028                 TCP 
*:sunrpc (LISTEN)
rpc.statd   914  rpcuser    6u  IPv4       3130                 TCP *:1024 
(LISTEN)
X          1130     root    1u  IPv4       3374                 TCP *:x11 
(LISTEN)
sshd       1208     root    3u  IPv4       3490                 TCP *:ssh 
(LISTEN)
xinetd     1233     root    5u  IPv4       5659                 TCP 
localhost.localdomain:1056 (LISTEN)
cupsd      1267     root    0u  IPv4       3653                 TCP *:ipp 
(LISTEN)
master     1620     root   11u  IPv4       3928                 TCP *:smtp 
(LISTEN)
miniserv.  1953     root    4u  IPv4       4301                 TCP 
*:10000 (LISTEN)
sshd      26573 stdweird    9u  IPv4     797219                 TCP 
localhost.localdomain:x11-ssh-offset (LISTEN)

nestat -tavp

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State 
PID/Program name
tcp        0      0 localhost.localdom:1056 *:*                     LISTEN 
1233/xinetd
tcp        0      0 *:1024                  *:*                     LISTEN 
914/rpc.statd
tcp        0      0 *:sunrpc                *:*                     LISTEN 
841/portmap
tcp        0      0 *:10000                 *:*                     LISTEN 
1953/perl
tcp        0      0 *:x11                   *:*                     LISTEN 
1130/X
tcp        0      0 xxx.xxx.xxx:81       *:*                     LISTEN 
-
tcp        0      0 *:ssh                   *:*                     LISTEN 
1208/sshd
tcp        0      0 *:ipp                   *:*                     LISTEN 
1267/cupsd
tcp        0      0 *:smtp                  *:*                     LISTEN 
1620/master
tcp        0      0 localhos:x11-ssh-offset *:*                     LISTEN 
26573/sshd
tcp        0      0 xxx.xxx.xxx:ssh      yyy.yyy.yyy:2497      
ESTABLISHED 26571/sshd

stijn


The lsof program shows all that process and the open ports/files
lsof |grep LIST
will do the work
Stijn De Weirdt wrote:


hello, 

i have a computer that has been (succesfully :( ) attacked, and i'm 
currently checking how 'they' did it. the computer has an open port with a 
listening ftp-server, but there is no matching PID with netstat. so here's 
the question: how do i get the process-id?

some data:
the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)

'netstat -vapt' output: 
Proto Recv-Q Send-Q Local Address           Foreign Address         State 
PID/Program name
tcp        0      0 xxx.xxx.xxx:81       *:*                     LISTEN 
-

(denote the last -)

nmap -p 81 (from another machine) gives
Port       State       Service
81/tcp     filtered    hosts2-ns

but telnet from the same machine gives (partly)
220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.

the ftp-server seems very highly modified, meaning that
1. there isn't supposed to run one on that computer (but there is one 
installed)
2. doesn't recognise any commands like cd, ls, get,put, login...

currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it 
in a few days, but any advice on how to look for the server process is 
handy. i have root access to the machine, so that's no problem.

many thanks
stijn

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


 






---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: