1

I am trying to do a homework for a lab but have a quick question.

How do I find a malicious TCP service that is still running and the adversary has achieved persistence by creating a systemd service?

I think I have to use netstat to find the name of the malicious TCP service, but what command should I use to find that service?

Thank You

beveragerocks
  • 11
  • 1

2 Answers2

3

netstat -tlape

running this will show all (-a) processes (-p) currently listening (-l) on a TCP port (-t) with extended information (-e)

note(s):

  • you need to run this via sudo to see everything on the system.

  • use linux man pages when you're not sure how a program operates. in this instance you would type man netstat to learn more about the netstat command. to search within the man pages, press / and enter a <search term> then press enter to find the results. n will cycle forward while N cycles backwards.

walder
  • 51
  • 5
  • +1. This is a good answer on the use of nestat, but as I stated in my answer, netstat can't tell you which process is malicious. – joeqwerty Jun 04 '22 at 16:38
  • > "I think I have to use netstat to find the name of the malicious TCP service, but what command should I use to find that service?" -- i believe i answered OP's question as stated above with my answer. – walder Jun 04 '22 at 22:42
0

Netstat can show you the owning process, but it can't tell you if that process is malicious. Netstat on it's own cannot give you what you're looking for.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172