Find programs listening on network ports and removing them

This tutorial demonstrates how to find and deal with programs opening network ports on your Linux system. In our example below, the TCP port 6667 is open. This port is usually used for IRC servers. If you see this port open but don’t expect it, your server might have been hacked. We’ll find, stop and remove the program running on TCP port 6667.

First we need to check the status of our ports:

netstat -na | grep "ESTABLISHED"
tcp        0      0 192.168.0.1:39701           4.3.2.1:6667          ESTABLISHED

The only interesting port with a status of “ESTABLISHED” is in the above output. The remote system somewhere on the Internet has the IP address of “4.3.2.1″. We need to find out which program is opening that port.

lsof -Pnl +M -i4 | grep 6667
modcluste  3959    10224    1u  IPv4  12002       TCP 192.168.0.1:39701->4.3.2.1:6667 (ESTABLISHED)

The program name listed above is “modcluste” but that name is cut short. To find out it’s full name we can run the following name using the process id (from the above output) “3959″.

ps aux 3959
sally       3959  0.0  0.0   1988   852 ?        Ss   Feb05   0:00 modclusterd

Now we can see the complete name. We can also see that the user “sally” started the application. Most likely her account was hacked. We can find where that application is located by using either (or both) of the following commands:

locate modclusterd
find / | grep modclusterd

The output might be like follows:

/var/tmp/.a/.kde/modclusterd

The above looks like a cracker was here. So lets kill it and remove it.

kill -9 3959
rm -rf /var/tmp/.a

So the known threat is gone but the work has just begun. We need to alter the firewall to prevent this from happening again. Also consider enabling SELinux if possible. We also need to find out what damage was done to the system (if any) if this were a real incident. Also consider changing Sally’s account password.

Thanks to AgixLinux

Leave a Reply

Your email address will not be published. Required fields are marked *

*