Looking for intruders with lsof
Track down and expose intruders with the versatile admin tool lsof.
Has your server been cracked? Are your processes running wild? If you suspect an intrusion, you’ll need accurate information on what’s happening with the system. Open file handles are a useful source for this information. lsof scans the depths of the filesystem for these files and then returns comprehensive and detailed output.
To be fully prepared for an attack, you’ll need an Intrusion Detection System (IDS) like Snort, Tripwire or Aide to check the filesystem and data streams for suspicious patterns. However, if you don’t have the time or resources for a full-blown intrusion response, Linux has a number of standard command line programs capable of discovering tell-tale traces on a system. The usual suspects for server diagnosis are ps, netstat, top, fuser, and other friendly helpers.
Buy this article as PDF