Unix Administration Firewall Intrusion Detection Network Security Hacking MORE HOME

Files

Shows the open fds for a process:

lsof -p 12345

If a file was already deleted, you can see whether a process still holds it open and then try to access it via the /proc filesystem:

cp /proc/12345/fd/xxx ./test.one

Need to recover a binary that is not in a file:

cp /proc/12345/exe ./exefile

Compromised System
What to do in case of an compromised system?
Unplug the network!
lsof -ni shows all open network addresses.

CopyLeft (l) 2003 by Raffael Marty