Using lsof to determine which processes are listening on TCP or UDP ports
TL;DR
Use lsof to find all processes listening on TCP or UPD ports:
sudo lsof -n | egrep 'TCP.*LISTEN|UDP'
Details
After a routine security audit using nmap, a production server is found to be running a rogue server listening on port 8000:
jemurray@mbp-2019:~ $ nmap shell.jasonmurray.org
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-27 19:23 CST
Nmap scan report for shell.jasonmurray.org (104.131.191.87)
Host is up (0.067s latency).
Other addresses for shell.jasonmurray.org (not scanned): 2604:a880:800:10::19d5:4001
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
8000/tcp open http-alt
Connecting to port 8000 confirms the host is leaking files:
jemurray@mbp-2019:~ $ elinks shell.jasonmurray.org:8000 -dump
Directory listing for /
--------------------------------------------------------------------------
* [1]dontleakthisfile.txt
--------------------------------------------------------------------------
References
Visible links
1. http://shell.jasonmurray.org:8000/dontleakthisfile.txt
Use lsof to find the process listening on port 8000. In this example, we dump all process listening on tcp or udp ports:
jemurray@shell:~$ sudo lsof -n | egrep 'TCP.*LISTEN|UDP'
exim4 3533 Debian-exim 3u IPv4 21882742 0t0 TCP 127.0.0.1:smtp (LISTEN)
exim4 3533 Debian-exim 4u IPv6 21882743 0t0 TCP [::1]:smtp (LISTEN)
ntpd 3744 ntp 18u IPv4 55660414 0t0 UDP 127.0.0.1:ntp
ntpd 3744 ntp 19u IPv4 55660416 0t0 UDP 104.131.191.87:ntp
ntpd 3744 ntp 20u IPv4 55660418 0t0 UDP 10.17.0.5:ntp
ntpd 3744 ntp 21u IPv6 55660420 0t0 UDP [::1]:ntp
ntpd 3744 3747 ntpd ntp 16u IPv6 55660407 0t0 UDP *:ntp
ntpd 3744 3747 ntpd ntp 17u IPv4 55660410 0t0 UDP *:ntp
ntpd 3744 3747 ntpd ntp 18u IPv4 55660414 0t0 UDP 127.0.0.1:ntp
ntpd 3744 3747 ntpd ntp 19u IPv4 55660416 0t0 UDP 104.131.191.87:ntp
ntpd 3744 3747 ntpd ntp 20u IPv4 55660418 0t0 UDP 10.17.0.5:ntp
sshd 15426 root 3u IPv4 12655697 0t0 TCP *:ssh (LISTEN)
sshd 15426 root 4u IPv6 12655708 0t0 TCP *:ssh (LISTEN)
python3 16760 jemurray 3u IPv4 57858801 0t0 TCP *:8000 (LISTEN)
nginx 30170 root 6u IPv4 12851776 0t0 TCP *:http (LISTEN)
nginx 30170 root 7u IPv6 12851777 0t0 TCP *:http (LISTEN)
nginx 30170 root 8u IPv4 12851778 0t0 TCP *:https (LISTEN)
nginx 30170 root 9u IPv6 12851779 0t0 TCP *:https (LISTEN)
nginx 30174 www-data 6u IPv4 12851776 0t0 TCP *:http (LISTEN)
nginx 30174 www-data 7u IPv6 12851777 0t0 TCP *:http (LISTEN)
nginx 30174 www-data 8u IPv4 12851778 0t0 TCP *:https (LISTEN)
nginx 30174 www-data 9u IPv6 12851779 0t0 TCP *:https (LISTEN)
Looking at the python3 processes, we see:
jemurray@shell:~$ ps -ef | grep python3
jemurray 16760 13824 0 01:19 pts/8 00:00:00 python3 -m http.server 8000
lsof will also display which directory the python3 program is sharing:
jemurray@shell:~$ sudo lsof | grep 16760 | grep cwd
python3 16760 jemurray cwd DIR 254,1 4096 264931 /home/jemurray/example-hacked-directory