To check on the open ports on your local system: (You can change localhost to server_name in case you want to check remote servers for open ports)
[soj@centos perl]$ sudo nmap -sTU localhost
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
To list open files and sockets, you can use “lsof” command.
sudo “lsof -i” lists all open Internet files/sockets
From the above nmap output, you can check the command for each services as follows:
[soj@centos perl]$ sudo lsof -i :ssh
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1579 root 3u IPv4 10986 0t0 TCP *:ssh (LISTEN)
sshd 1579 root 4u IPv6 10988 0t0 TCP *:ssh (LISTEN)
[soj@centos perl]$ sudo lsof -i :smtp
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sendmail 26450 root 4u IPv4 38120 0t0 TCP localhost.localdomain:smtp (LISTEN)
[soj@centos perl]$ sudo lsof -i :domain
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 1310 named 20u IPv4 9857 0t0 TCP localhost.localdomain:domain (LISTEN)
named 1310 named 24u IPv4 38186 0t0 TCP centos.sandbox:domain (LISTEN)
named 1310 named 512u IPv4 9856 0t0 UDP localhost.localdomain:domain
named 1310 named 513u IPv4 38185 0t0 UDP centos.sandbox:domain
[soj@centos perl]$ sudo lsof -i :http
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1627 root 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20083 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20084 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
You can use lsof command with port number as well-
[soj@centos ~]$ sudo lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 1627 root 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20083 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20084 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
———————-
For finding files that have a link count less than 1 (ie. the file was removed, but the process keeps on writing)
[soj@centos ~]$ sudo lsof +L 1
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NLINK NODE NAME
nautilus 1989 soj 19r REG 253,0 5752 0 393090 /home/soj/.local/share/gvfs-metadata/home (deleted)
nautilus 1989 soj 20r REG 253,0 32768 0 399003 /home/soj/.local/share/gvfs-metadata/home-703674be.log (deleted)
gnome-ter 2072 soj 22u REG 253,0 4721 0 261785 /tmp/vteIRXN5V (deleted)
gnome-ter 2072 soj 23u REG 253,0 4304 0 261786 /tmp/vteLJXN5V (deleted)
gnome-ter 2072 soj 24u REG 253,0 0 0 261810 /tmp/vteEGXN5V (deleted)
gnome-ter 2072 soj 25u REG 253,0 20310 0 261823 /tmp/vteLO8R5V (deleted)
gnome-ter 2072 soj 26u REG 253,0 8192 0 261824 /tmp/vteQG8R5V (deleted)
———————–
To list all open files in /home/soj
[soj@centos ~]$ sudo lsof +d /home/soj/
su 26894 root cwd DIR 253,0 4096 392814 /home/soj
bash 26899 root cwd DIR 253,0 4096 392814 /home/soj
gedit 27244 soj cwd DIR 253,0 4096 392814 /home/soj
vi 27507 root cwd DIR 253,0 4096 392814 /home/soj
lsof 27539 root cwd DIR 253,0 4096 392814 /home/soj
lsof 27540 root cwd DIR 253,0 4096 392814 /home/soj
The above command is similar to
[soj@centos ~]$ sudo fuser -v /home/soj/
USER PID ACCESS COMMAND
/home/soj/: soj 1084 ..c.. bash
root 26894 ..c.. su
root 26899 ..c.. bash
soj 27244 ..c.. gedit
root 27507 ..c.. vi
To check on the PID (27507)
[soj@centos ~]$ sudo lsof -p 27507
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
vi 27507 root cwd DIR 253,0 4096 392814 /home/soj
vi 27507 root rtd DIR 253,0 4096 2 /
vi 27507 root txt REG 253,0 765880 261727 /bin/vi
vi 27507 root mem REG 253,0 61624 392478 /lib64/libnss_files-2.12.so
vi 27507 root mem REG 253,0 99158752 670862 /usr/lib/locale/locale-archive
vi 27507 root mem REG 253,0 17896 392537 /lib64/libattr.so.1.1.0
vi 27507 root mem REG 253,0 19536 392468 /lib64/libdl-2.12.so
vi 27507 root mem REG 253,0 135896 392505 /lib64/libtinfo.so.5.7
vi 27507 root mem REG 253,0 1832712 392462 /lib64/libc-2.12.so
vi 27507 root mem REG 253,0 31856 392539 /lib64/libacl.so.1.1.0
vi 27507 root mem REG 253,0 140096 392501 /lib64/libncurses.so.5.7
vi 27507 root mem REG 253,0 122008 392523 /lib64/libselinux.so.1
vi 27507 root mem REG 253,0 595816 392470 /lib64/libm-2.12.so
vi 27507 root mem REG 253,0 148504 392980 /lib64/ld-2.12.so
vi 27507 root 0u CHR 136,1 0t0 4 /dev/pts/1
vi 27507 root 1u CHR 136,1 0t0 4 /dev/pts/1
vi 27507 root 2u CHR 136,1 0t0 4 /dev/pts/1
vi 27507 root 4u REG 253,0 12288 399277 /home/soj/scripts/bash/.correctfile.txt.swp
————————
Run the following command to list all the open ports, even those opened by backdoors/trojans/rootkits that are hidden to netstat and ps commands
[soj@centos ~]$ sudo lsof | grep -i “listen”
rpcbind 1215 rpc 8u IPv4 9378 0t0 TCP *:sunrpc (LISTEN)
rpcbind 1215 rpc 11u IPv6 9383 0t0 TCP *:sunrpc (LISTEN)
named 1310 named 20u IPv4 9857 0t0 TCP localhost.localdomain:domain (LISTEN)
named 1310 named 21u IPv4 9860 0t0 TCP localhost.localdomain:rndc (LISTEN)
named 1310 named 22u IPv6 9861 0t0 TCP centos.sandbox:rndc (LISTEN)
named 1310 named 24u IPv4 38186 0t0 TCP centos.sandbox:domain (LISTEN)
rpc.statd 1333 rpcuser 9u IPv4 10041 0t0 TCP *:52970 (LISTEN)
rpc.statd 1333 rpcuser 11u IPv6 10049 0t0 TCP *:40908 (LISTEN)
sshd 1579 root 3u IPv4 10986 0t0 TCP *:ssh (LISTEN)
sshd 1579 root 4u IPv6 10988 0t0 TCP *:ssh (LISTEN)
httpd 1627 root 4u IPv6 11190 0t0 TCP *:http (LISTEN)
smbd 1653 root 24u IPv6 11408 0t0 TCP *:microsoft-ds (LISTEN)
smbd 1653 root 25u IPv6 11410 0t0 TCP *:netbios-ssn (LISTEN)
miniserv. 1685 root 6u IPv4 11470 0t0 TCP *:ndmp (LISTEN)
httpd 20083 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20084 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20085 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20086 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20088 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20089 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20090 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
httpd 20091 apache 4u IPv6 11190 0t0 TCP *:http (LISTEN)
sendmail 26450 root 4u IPv4 38120 0t0 TCP localhost.localdomain:smtp (LISTEN)
mysqld 27150 mysql 10u IPv4 43916 0t0 TCP *:mysql (LISTEN)