lsof is one of the most useful utilities for Linux and Unix systems.It stands for "list of open files" the lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.
A process would show up in top or ps aux, but the executable didn't seem to exist. Using lsof, I could hunt down the scripts or executables used to run the malware.
For example, if you want to see all the open files owned by a process, you can use the -p option (for PID) like so:
"lsof -p XXXXX"
Here, you want to replace XXXXX with the process ID (PID) of the process you want to see. Note that you want to run this as root or using sudo. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.
You can also see what files are open by users. Running lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use ^user instead. The preceding caret will negate the selection, so the user will be ignored.
If you want to see what files are open over the network, use -i. This will show you which files and sockets are open, and their respective protocols, hostnames and so on. You can narrow network parameters down by IP version (-i4 for IPv4, -i6 for IPv6), protocol (UDP or TCP), and even hostname or port. By default, lsof will look up hostnames -- but you can turn this off using the -n option. It will run faster without needing to do name lookups.
You can also "and" things using the -a option. Want to see what network sockets are owned by a particular user or process? Try lsof -u user -a -i. That will show only the open TCP and UDP sockets.
Example:
lsof -i -n -P
That command shows
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 698 root 3u IPv4 3014 0t0 TCP *:22 (LISTEN)
sshd 698 root 4u IPv6 3016 0t0 TCP *:22 (LISTEN)
avahi-dae 726 avahi 12u IPv4 6921 0t0 UDP *:5353
avahi-dae 726 avahi 13u IPv6 6922 0t0 UDP *:5353
avahi-dae 726 avahi 14u IPv4 6923 0t0 UDP *:40507
avahi-dae 726 avahi 15u IPv6 6924 0t0 UDP *:43886
cupsd 805 root 3u IPv4 1994244 0t0 TCP *:631 (LISTEN)
cupsd 805 root 6u IPv6 1994245 0t0 TCP *:631 (LISTEN)
cupsd 805 root 8u IPv4 1994248 0t0 UDP *:631
mysqld 952 mysql 12u IPv4 10623 0t0 TCP *:3306 (LISTEN)
mysqld 952 mysql 34u IPv4 604375 0t0 TCP 127.0.0.1:3306->127.0.0.1:35123 (ESTABLISHED)
mysqld 952 mysql 45u IPv4 2175928 0t0 TCP 127.0.0.1:3306->127.0.0.1:38270 (ESTABLISHED)
master 1069 root 12u IPv4 8851 0t0 TCP *:25 (LISTEN)
apache2 1208 root 4u IPv6 10534 0t0 TCP *:80 (LISTEN)
apache2 1219 www-data 4u IPv6 10534 0t0 TCP *:80 (LISTEN)
apache2 1220 www-data 4u IPv6 10534 0t0 TCP *:80 (LISTEN)
apache2 1221 www-data 4u IPv6 10534 0t0 TCP *:80 (LISTEN)
apache2 1222 www-data 4u IPv6 10534 0t0 TCP *:80 (LISTEN)