1 |
On Thursday 20 September 2007, Grant wrote: |
2 |
> > > I recognize everything in 'ps -ef' I think, but I've never really used |
3 |
> > > netstat before. Under "Active Internet connections" I don't |
4 |
> > > recognize: |
5 |
> > > |
6 |
> > > tcp localhost:10030 |
7 |
> > > tcp *:snpp |
8 |
> > |
9 |
> > Also, snpp is for pagers: |
10 |
> > http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol |
11 |
> |
12 |
> With netstat -lp it looks like *:snpp is associated with apache2 and |
13 |
> is using the same pid as *:http and *:https. I've never set up |
14 |
> anything having to do with a pager. I've never had a pager. What can |
15 |
> I do to investigate that further? |
16 |
|
17 |
I assume then that this is spawned by apache, but don't know why apache would |
18 |
spawn something like this. What happens if you shut apache down? Is it |
19 |
still there? You could post in apache M/Ls in case they know or have seen |
20 |
this before. |
21 |
|
22 |
> > Then run lsof (check man lsof) to see if there is anything suspicious |
23 |
> > there, like another user logged in either as root or with a different |
24 |
> > name. |
25 |
> |
26 |
> Any handy lsof commands? |
27 |
|
28 |
I am not good with regex so I would just run it plain and work tediously my |
29 |
way down the list, or start from the known suspects: check the port that |
30 |
snpp is using as well as 10030, e.g. |
31 |
|
32 |
# lsof -i @your_host_name.com:10030 (you can use the IP address here too) |
33 |
|
34 |
# lsof -i @your_host_name.com:snpp |
35 |
|
36 |
etc. |
37 |
|
38 |
HTH. |
39 |
-- |
40 |
Regards, |
41 |
Mick |