I am trying to write a script to help with computer security. I am trying to look for open ports, find the PID, and find what called it.
I have it working, where my output looks something like this:
IPV4 - 1234 - 2566/nc
Running from:
/bin/nc.openbsd
Command run: nc -l 1234
Where I was able to get those values from netstat, /proc/$PID/exe and /proc/$PID/cmdline
However, in the nature of looking for backdoors, there may be a script on my computer somewhere, that would call nc. Is it possible, from the PID of nc, to find the original scripts location? I've tried looking at the other files in /proc/$PID/* to no avail.
Say in /etc/rc.local I put the line nc -l 1234, Could I get something that would tell me that the nc command was opened by /etc/rc.local?
Asked by Connor Quick
(27 rep)
Nov 24, 2014, 05:52 PM
Last activity: Jul 6, 2025, 01:06 PM
Last activity: Jul 6, 2025, 01:06 PM