● Who's listening on that port? - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: cycker (TryToDoEverythingOnLinux), 信区: Linux
标  题: Who's listening on that port?
发信站: 荔园晨风BBS站 (Sun May 18 17:55:19 2003), 站内信件

"I'm having trouble tracking down a process that's running on my machine.
When I run netstat -a, I see lots of things that should be there,
but also the following:

  $ netstat -a
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address    Foreign Address   State
  tcp        0      0 localhost:imaps  *:*               LISTEN
  tcp        0      0 *:smtp           *:*               LISTEN
  ...
  tcp        0      0 *:8577           *:*               LISTEN
  ...

I can't figure out what that is on port 8577. Any ideas?"

My first reaction is almost universally to connect and see if it
says anything useful. So I had him pull out netcat[1] to check the header:

  $ nc localhost 8577
  RFB 003.003

The server process responded with the RFB line. That's what you get when
you connect to a VNC server, just like you'd expect SSH-1.99-OpenSSH....
for an SSH server that supports v1 and v2. Most network daemons will
say something when you connect. You
can usually match the output (aka the banner) to a protocol or process.

However there are two other ways that are even more direct, that can
tie the network port to the actual process that is listening.
For example on the machine running the VNC server on port 8577,
there was no process called vncserver running on the
machine.

So, we turn to two tools: netstat, and our old friend lsof.

Netstat has a -p option that will show you the name and
pid (process id) of the local process that is associated
with a connection. If you're running as root, you can
see the processes for all users. If you're a normal user,
you can only see the processes that are running as you.

So, re-running the netstat above with -p would have yielded

  # netstat -ap
  Active Internet connections (servers and established)
  Proto Recv-Q Send-Q Local Address    Foreign Address   State
  tcp        0      0 localhost:imaps  *:*               LISTEN  277/stunnel
  tcp        0      0 *:smtp           *:*               LISTEN  394/master
  ...
  tcp        0      0 *:8577           *:*               LISTEN  57283/bash
  ...

  # ps -fc 57283
  UID    PID  PPID  CLS PRI STIME TTY  STAT  TIME CMD
  doug 57283     1    -  29 10:30   ?  S     0:00 /home/doug/bin/bash

So here we can see that /home/doug/bin/bash (a copy of
vncserver under a different name to avoid detection) is
the process listening on port 8577, and it can be killed
and doug scolded as appropriate.

Alternatively, you can use lsof to do the same thing

  # lsof -i tcp:8577
  COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
  ssh     57283 doug    3u  IPv4   31740       TCP *8577 (LISTEN)

If you're interested in what the process is doing, you can
use lsof -p to see it's open files, strace -p to watch it's
system calls, or ltrace -p to watch library calls. If you're
comfortable with full blown debugging, gdb can attach to it
and give you all the control you could want.[2]

http://www.hackinglinuxexposed.com/articles/20030515.html
--
Welcome to CYCKER'S LINUX_SOFT FTPD ftp://192.168.36.220

※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 192.168.36.220]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店