Linux/UNIX reseller-web-hosting

butonel: Mihai Stancu | ianuarie 22nd, 2015

Hosting Management – Command: lsof

O unealta foarte utila pentru diagnosticare si probleme de securitate

lsof - "list of opened files"

usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cgG]]
[-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]


# lsof -i

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhcpcd 6061 root 4u IPv4 4510 UDP *:bootpc
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)


# lsof -i :22

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 7703 root 3u IPv6 6499 TCP *:ssh (LISTEN)
sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->192.168.1.5:49901 (ESTABLISHED)


# lsof -i@172.16.12.5

sshd 7892 root 3u IPv6 6757 TCP 10.10.1.5:ssh->172.16.12.5:49901 (ESTABLISHED)


# lsof -u mihai

– snipped –
Dock 155 mihai txt REG 14,2 2798436 823208 /usr/lib/libicucore.A.dylib
Dock 155 mihai txt REG 14,2 1580212 823126 /usr/lib/libobjc.A.dylib
Dock 155 mihai txt REG 14,2 2934184 823498 /usr/lib/libstdc++.6.0.4.dylib
Dock 155 mihai txt REG 14,2 132008 823505 /usr/lib/libgcc_s.1.dylib
Dock 155 mihai txt REG 14,2 212160 823214 /usr/lib/libauto.dylib
– snipped –


 

# lsof -c syslog-ng

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslog-ng 7547 root cwd DIR 3,3 4096 2 /
syslog-ng 7547 root rtd DIR 3,3 4096 2 /
syslog-ng 7547 root txt REG 3,3 113524 1064970 /usr/sbin/syslog-ng
– snipped –


 

# lsof /var/log/messages/

COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
syslog-ng 7547 root 4w REG 3,3 217309 834024 /var/log/messages


 

Foarte importanta! – „This is often (but not always) indicative of an attacker trying to hide file content by unlinking it.

# lsof +L1

 

Alte comenzi utile cu referire la subiect

ls -l /proc/12161(id-process)/exe

ls -l /proc/12161/cwd

cwdx 12161(id-process)

fuser 80/tcp



Back to Top ↑