0

I am trying to write a script to help with computer security. I am trying to look for open ports, find the PID, and find what called it.

I have it working, where my output looks something like this:

IPV4 - 1234 - 2566/nc

Running from: /bin/nc.openbsd

Command run: nc -l 1234

However, in the nature of looking for backdoors, there may be a script on my computer somewhere, that would call nc. Is it possible, from the PID of nc, to find the original scripts location?

Say in /etc/rc.local I put the line nc -l 1234, Could I get something that would tell me that the nc command was opened by /etc/rc.local?

Thanks!

P.S. I felt this was better suited here rather than stackoverflow due to the problem being a Linux problem, rather that a problem with my script.

Improve this question
6
  • Unix & Linux may be able to give you a good answer as well.
    – Tim
    Commented Nov 24, 2014 at 17:42
  • Thanks Tim, I'll try asking there. Hope it isn't against the rules to cross post like that... just briefly looked through the rules and didn't see it say anything.
    – zer0w1re
    Commented Nov 24, 2014 at 17:47
  • It can be discouraged until you have waited a bit, but there shouldn't be anything wrong. You may get some different answers.
    – Tim
    Commented Nov 24, 2014 at 17:55
  • 1
    @Tim Cross posting is discouraged, so please don't tell users to do it. You could explain to them that if they posted a question and haven't received an answer in, say, two days, they can flag it for attention to have it migrated there, but please don't let them duplicate it. Thanks for your understanding.
    – slhck
    Commented Nov 24, 2014 at 19:20
  • Closed for cross posting.
    – slhck
    Commented Nov 24, 2014 at 19:20

2 Answers 2

Reset to default
1

To get the PID of the Parent Process, you can use the command:

ps -ef

It will give you a process listing that includes both of the PIDs.

If the command was started from a script, then the PPID (parent process ID) that the command returns would the PID of the script that started it.

Improve this answer
3
  • 1
    The PPID only shows "bash" rather than the script's location.
    – zer0w1re
    Commented Nov 24, 2014 at 17:54
  • ps has a ton of options. You might also try ps axjf. But that does not give you script compatible information. It may be necessary to pipe together some commands to get exactly the info you want. I did not intend to write the script for you, but to point you in the right direction.
    – Marianna
    Commented Nov 24, 2014 at 18:29
  • You should also consider that keying in on a suspicious name like nc, will often fail. Exploits usually hide behind an inconspicuous name like "init" which is present on every running system. Better to look for open ports with netstat and don't forget lsof as a tool.
    – Marianna
    Commented Nov 24, 2014 at 18:32
0

I ended up using the following:

grep -r "$command" $(ls -l /proc/$pid/cwd | awk '{ print $11 }') | awk -F: '{ print $1 }'

Where $command="$(cat /proc/$pid/cmdline | sed 's\x0/ g' | sed 's/.$//')"

Which will recursively grep through the files in the directory that the script is in to find the file that contains the running nc command.

Seems kind of messy, so if anyone could help clean that up a bit that'd be great :)

Thanks for the help guys!

Improve this answer

Not the answer you're looking for? Browse other questions tagged .