GIT – lsof in :

lsof is one of the most powerful tool for all sysadmins to check and analyze processes running on your Linux server. This gives a detailed information about processes running on the server, path to the executables and other library files the process is calling. In other words, it gives a list of all opened files on server.

Usage:

lsof [Options]

List all opened files on server using lsof:

lsof

List all TCP/UDP connections to the server using lsof

lsof -i

List all connections except user:

lsof -i -u^root

The above command is very useful when trying to trace an attack on server.

List all TCP connections to server:

lsof -i tcp

List all UDP connections to server:

lsof -i udp

List all connections to the port 80

lsof -i tcp:80

List all opened files by a user

lsof -u root

Replace  ‘root’ in above command with the username your want to trace

List all opened files by a programe (eg: apache2)

lsof -c apache2

How to use multiple options with lsof command:

You can use “-a” at the beginning of the lsof command to use two or more options.

Examples:

List all opened files by apache2 run by ‘root’

lsof -a -c -u root

List all opened files by inside /var/lib/ folder.

lsof -a -c mysql +D /var/lib/

Some important usages of lsof command in analysis.

Trace malicious programs on server using lsof:

How to find which processes have highest number of opened files:

lsof | awk ‘{printf(“%s (%s)\n”, $1, $2)}’ |sort -n|uniq -c|sort -n|tail

The above command will give you the number of opened files for each processes and list 10 processes with highest number of connections. You can append “-20″ at the end of the above command if you want to list 20 processes with highest number of opened files.

Locate unused open ports on your server.

– Run netstat command to check if there are any suspecious ports:

netstat -an

The output of the above command will look like:

udp 0 0 0.0.0.0:41713 0.0.0.0:*

udp 0 0 0.0.0.0:55566 0.0.0.0:*

udp 0 0 0.0.0.0:7500 0.0.0.0:*

udp 0 0 0.0.0.0:68 0.0.0.0:*

In the above example, say if you found an unknown port 41713, run the following command to locate the program using that port.

lsof -i udp:41713

Locate if any files are opened by a program which doesn’t exist in file system.

lsof | grep deleted

The output of the above command will contain some opened files used by processes and the files will not be present in the file system. You can manually kill/terminate these processes to free up the memory, otherwise the memory allotted for these files wont be freed.

Print Friendly

Comments

comments

Bài viết liên quan