On Mon, Jan 07, 2002 at 12:23:35PM +0000, Dominic Mitchell wrote: >Rather than portscanning yourself (and tripping off your own alarms >:-) it's much easier to just do "netstat -an | grep -w LISTEN" and >see what is listening. You can trace back to the original process >using lsof(8)[1].
Or on Linux, netstat -nlp which will give you process IDs and names. But if the server has been compromised, it's possible that netstat has also been compromised; there is still value to an external portscan. R -- He's a witless moralistic card sharp with a mysterious suitcase handcuffed to his arm. She's a cosmopolitan African-American museum curator with her own daytime radio talk show. They fight crime!