lsof usage

1. lsof intro

1.1 lsof can check opened files:

• /dev file
• socket files(unix/network)
• lib files
• executables
• .etc

lsof page on debian: https://packages.debian.org/stable/lsof

a cool webpage on lsof from daniel

1.2 output interpretation

**COMMAND   PID USER   FD      TYPE             DEVICE SIZE/OFF     NODE NAME**
adb     15516   yu  cwd       DIR                8,1     4096 12845057 /home/yu/workspace/q
adb     15516   yu  rtd       DIR                8,1     4096        2 /
adb     15516   yu  txt       REG                8,1  4894227 11272415 /home/yu/.bin/adb
adb     15516   yu  mem       REG                8,1    71488 14420702 /lib/i386-linux-gnu/i686/cmov/libresolv-2.13.so
adb     15516   yu  mem       REG                8,1    22088 14420706 /lib/i386-linux-gnu/i686/cmov/libnss\_dns-2.13.so
adb     15516   yu  mem       REG                8,1    42628 14420694 /lib/i386-linux-gnu/i686/cmov/libnss\_files-2.13.so
adb     15516   yu  mem       REG                8,1  1437864 14420700 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so
adb     15516   yu  mem       REG                8,1   114788 14420559 /lib/i386-linux-gnu/libgcc\_s.so.1

row of “FD”

+----+-------+-----------------------------------+
| No | item  |              note                 |
+----+-------+-----------------------------------+
| 1  | cwd   |  current workding directory       |
+----+-------+-----------------------------------+
| 2  | rtd   |  root directory                   |
+----+-------+-----------------------------------+
| 3  | txt   |  program text (code and data)     |
+----+-------+-----------------------------------+
| 4  | mem   |  memory-mapped file               |
+----+-------+-----------------------------------+

row of “TYPE”

+----+-------+-----------------------------------+
| No | item  |              note                 |
+----+-------+-----------------------------------+
| 1  | DIR   |  Directory                        |
+----+-------+-----------------------------------+
| 2  | REG   |  Regular file                     |
+----+-------+-----------------------------------+
| 3  | CHR   |  Character special file           |
+----+-------+-----------------------------------+
| 4  | FIFO  |  First In First Out               |
+----+-------+-----------------------------------+

1.3 practice

Given PID:

$ lsof -p <pid>
$ ls /proc/<pid>/fd

Given port/protocol

$ lsof -i :5037

COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
adbd    939 root    5u  IPv4     93      0t0  TCP localhost:5037 (LISTEN)

$ lsof -i @localhost

COMMAND PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
adbd    939 root    5u  IPv4     93      0t0  TCP localhost:5037 (LISTEN)

$ lsof -i TCP
$ lsof -i TCP:80
$ lsof -i TCP@192.168.0.2:636
$ lsof -i --> show all network connections
$ lsof -i 4 --> show only IPv4 connections
$ lsof -i 6 --> show only IPv6 connections
$ lsof -i TCP:1-1024 --> List Open Files of TCP Port ranges 1-1024

Given UID

$ lsof -u <UID>
$ lsof -u ^<UID>

Given category

$ lsof -d txt
$ lsof -d ^mem

Given files/directries

$ lsof <file>
$ lsof <directory>

only show PID

$ lsof -t <file>

show network port

$ lsof -i -P

2. checking opening fd limits

use ulimit -n to check limits, use ls /proc/*/fd/ to count all fd

3. check server risk

lsof +L1 shows you all open files that have a link count less than 1
This is often (but not always) indicative of an attacker trying to hide file content by unlinking it.

$ lsof +L1

memory usage monitor

memdump: This  program  dumps system memory to the standard output stream, skipping over holes in memory maps.  By default, the program dumps the contents of physical memory (/dev/mem).
memstat: Identify what's using up virtual memory.

ps aux --sort:-rss