I am trying to write a script to help with computer security. I am trying to look for open ports, find the PID, and find what called it.
I have it working, where my output looks something like this:
IPV4 - 1234 - 2566/nc
Running from: /bin/nc.openbsd
Command run: nc -l 1234
However, in the nature of looking for backdoors, there may be a script on my computer somewhere, that would call nc
. Is it possible, from the PID of nc
, to find the original scripts location?
Say in /etc/rc.local
I put the line nc -l 1234
,
Could I get something that would tell me that the nc
command was opened by /etc/rc.local
?
Thanks!
P.S. I felt this was better suited here rather than stackoverflow due to the problem being a Linux problem, rather that a problem with my script.