| 1 |
>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep |
| 2 |
>> 3680"' as root is a sloppy but effective way to find it. There's |
| 3 |
>> probably some way to set up a firewall rule on the host in question |
| 4 |
>> that logs out the user and (possibly) PID of the connection, but I |
| 5 |
>> don't know. |
| 6 |
> |
| 7 |
> "lsof -i" is easier, it only shows network connections :) |
| 8 |
> |
| 9 |
> catching it when it happens (if it is very briefly connected) could be |
| 10 |
> hard with lsof... Maybe setup a tarpit firewall rule on that box so |
| 11 |
> the connection stays open for a long time. |
| 12 |
|
| 13 |
The connections are only attempted a few times throughout the day. Is |
| 14 |
a tarpit firewall rule the only way to do this? Can anyone tell me |
| 15 |
what package 'watch' belongs to if that would work? |
| 16 |
|
| 17 |
- Grant |
Archives