Knowledgebase
Understanding netstats - tracing processe
Posted by placebo, 07-05-2008, 06:43 AM | Hello,
I was checking my netstat and I saw something like this:
I see that there are some connections from my server to some remote mySQL server, and I am curios to know which script is running them. (192.168.30.98:40493 207.45.xxx.xx:3306 5339/httpd)
I try through lsof but it is not that it points directly to the website running this connection.
I also see some strange connections like:
I want to know if this is some uncontroled script in my server.
|
Posted by pmabraham, 07-05-2008, 10:48 AM | Greetings:
Consider running lsof against the process id.
See http://www.manpagez.com/man/8/lsof/
Thank you.
|
Posted by eth1, 07-05-2008, 12:49 PM | You can take the process id(PID) and check under /proc,
The line containing 'cwd' would show the current working directory of the process.
lsof would also give you a lot of information.
|
Posted by placebo, 07-05-2008, 02:01 PM | Thank you eth1,
I don't get anything interesting:
also with lsof -p (I had tried it before), I just see a set of the modules and the logs that apache is running with.
|
Posted by placebo, 07-07-2008, 07:42 PM | I posted early and I still have this problem that I find connections similar to the one below.
It looks like some processes from myserver are accessing some remote website, and I really would like to know if this is some malicious script in my server.
Some times there is no PID at all, or when I find a PID (always an apache PID similart to PID/httpd), I cannot check it with lsof -p as the Process is finished.
Anyone knows how to find out how these connections are made?
|
|
Add to Favourites
Print this Article |
Also Read