Thursday, 4 October 2012

Use of lsof


lsof is one of the most useful utilities for Linux and Unix systems.It stands for "list of open files" the lsof utility can help identify which files are being used by any given application, which network ports are open, and much more.

A process would show up in top or ps aux, but the executable didn't seem to exist. Using lsof, I could hunt down the scripts or executables used to run the malware.

For example, if you want to see all the open files owned by a process, you can use the -p option (for PID) like so:

"lsof -p XXXXX"

Here, you want to replace XXXXX with the process ID (PID) of the process you want to see. Note that you want to run this as root or using sudo. The output will show the command that has the file open, the PID, the user, the file descriptor, type, size of the file and the name of the file.

You can also see what files are open by users. Running lsof -u user will show all open files by processes owned by the user. You can also substitute the user ID (UID) for the username. If you want to eliminate a user from the listing, use ^user instead. The preceding caret will negate the selection, so the user will be ignored.

If you want to see what files are open over the network, use -i. This will show you which files and sockets are open, and their respective protocols, hostnames and so on. You can narrow network parameters down by IP version (-i4 for IPv4, -i6 for IPv6), protocol (UDP or TCP), and even hostname or port. By default, lsof will look up hostnames -- but you can turn this off using the -n option. It will run faster without needing to do name lookups.

You can also "and" things using the -a option. Want to see what network sockets are owned by a particular user or process? Try lsof -u user -a -i. That will show only the open TCP and UDP sockets.

Example:

  lsof -i -n -P

That command shows


COMMAND     PID       USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
sshd        698       root    3u  IPv4    3014      0t0  TCP *:22 (LISTEN)
sshd        698       root    4u  IPv6    3016      0t0  TCP *:22 (LISTEN)
avahi-dae   726      avahi   12u  IPv4    6921      0t0  UDP *:5353
avahi-dae   726      avahi   13u  IPv6    6922      0t0  UDP *:5353
avahi-dae   726      avahi   14u  IPv4    6923      0t0  UDP *:40507
avahi-dae   726      avahi   15u  IPv6    6924      0t0  UDP *:43886
cupsd       805       root    3u  IPv4 1994244      0t0  TCP *:631 (LISTEN)
cupsd       805       root    6u  IPv6 1994245      0t0  TCP *:631 (LISTEN)
cupsd       805       root    8u  IPv4 1994248      0t0  UDP *:631
mysqld      952      mysql   12u  IPv4   10623      0t0  TCP *:3306 (LISTEN)
mysqld      952      mysql   34u  IPv4  604375      0t0  TCP 127.0.0.1:3306->127.0.0.1:35123 (ESTABLISHED)
mysqld      952      mysql   45u  IPv4 2175928      0t0  TCP 127.0.0.1:3306->127.0.0.1:38270 (ESTABLISHED)
master     1069       root   12u  IPv4    8851      0t0  TCP *:25 (LISTEN)
apache2    1208       root    4u  IPv6   10534      0t0  TCP *:80 (LISTEN)
apache2    1219   www-data    4u  IPv6   10534      0t0  TCP *:80 (LISTEN)
apache2    1220   www-data    4u  IPv6   10534      0t0  TCP *:80 (LISTEN)
apache2    1221   www-data    4u  IPv6   10534      0t0  TCP *:80 (LISTEN)
apache2    1222   www-data    4u  IPv6   10534      0t0  TCP *:80 (LISTEN)






Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)