1 |
>> If the machine is running linux, then 'watch "lsof -n|grep TCP|grep |
2 |
>> 3680"' as root is a sloppy but effective way to find it. There's |
3 |
>> probably some way to set up a firewall rule on the host in question |
4 |
>> that logs out the user and (possibly) PID of the connection, but I |
5 |
>> don't know. |
6 |
> |
7 |
> "lsof -i" is easier, it only shows network connections :) |
8 |
> |
9 |
> catching it when it happens (if it is very briefly connected) could be |
10 |
> hard with lsof... Maybe setup a tarpit firewall rule on that box so |
11 |
> the connection stays open for a long time. |
12 |
|
13 |
The connections are only attempted a few times throughout the day. Is |
14 |
a tarpit firewall rule the only way to do this? Can anyone tell me |
15 |
what package 'watch' belongs to if that would work? |
16 |
|
17 |
- Grant |