How to find processes associated with open ports

Once you have found an unknown open port on your system it is necessary to verify that there is not a malicious process running on that port. Fortunately it is easy to identify the corresponding process.

First we need a list of all open ports

netstat -an

At the beginning of the list there are the headlines "Local Address" and "Foreign Address". Below you find the IP addresses followed by a colon and the port. For a better overview it is possible to show the hostnames instead of the IP addresses.

netstat -a

Now we use lsof together with the port number for which we want to find the associated process. In this example it's port 25.

lsof -i:25

The result is the process ID (PID) and the name of the process which listens on this port.
The PID is all we need. If /proc is mounted detailed information about the process are available there. Also "ps auxf" reveals information about this process.

The following example shows the current working directory of the process

ls -ld /proc/[PID]/cwd

It's even easier to find the process by adding more options to the netstat command. You find the PID in the last column:

netstat -tulpen