How to view the calling script on Linux

I am trying to write a script to help with computer security. I am trying to look for open ports, find the PID, and find what called it.

I have it working, where my output looks something like this:

IPV4 - 1234 - 2566/nc

Running from: /bin/nc.openbsd

Command run: nc -l 1234

However, in the nature of looking for backdoors, there may be a script on my computer somewhere, that would call nc. Is it possible, from the PID of nc, to find the original scripts location?

Say in /etc/rc.local I put the line nc -l 1234, Could I get something that would tell me that the nc command was opened by /etc/rc.local?

Thanks!

P.S. I felt this was better suited here rather than stackoverflow due to the problem being a Linux problem, rather that a problem with my script.

zer0w1re

Posted 2014-11-24T17:27:38.850

Reputation: 1

[unix.se] may be able to give you a good answer as well. – Tim – 2014-11-24T17:42:51.643

Thanks Tim, I'll try asking there. Hope it isn't against the rules to cross post like that... just briefly looked through the rules and didn't see it say anything. – zer0w1re – 2014-11-24T17:47:40.110

It can be discouraged until you have waited a bit, but there shouldn't be anything wrong. You may get some different answers. – Tim – 2014-11-24T17:55:37.710

1@Tim Cross posting is discouraged, so please don't tell users to do it. You could explain to them that if they posted a question and haven't received an answer in, say, two days, they can flag it for attention to have it migrated there, but please don't let them duplicate it. Thanks for your understanding. – slhck – 2014-11-24T19:20:27.117

Closed for cross posting. – slhck – 2014-11-24T19:20:55.143

@slhck thanks for putting a number to that. I know that on AU we on't like U&L questions cross posted, but didn't know the time that they should wait here! – Tim – 2014-11-24T19:25:34.690

Answers

To get the PID of the Parent Process, you can use the command:

ps -ef

It will give you a process listing that includes both of the PIDs.

If the command was started from a script, then the PPID (parent process ID) that the command returns would the PID of the script that started it.

Marianna

Posted 2014-11-24T17:27:38.850

Reputation: 284

The PPID only shows "bash" rather than the script's location. – zer0w1re – 2014-11-24T17:54:12.713

ps has a ton of options. You might also try ps axjf. But that does not give you script compatible information. It may be necessary to pipe together some commands to get exactly the info you want. I did not intend to write the script for you, but to point you in the right direction. – Marianna – 2014-11-24T18:29:03.647

You should also consider that keying in on a suspicious name like nc, will often fail. Exploits usually hide behind an inconspicuous name like "init" which is present on every running system. Better to look for open ports with netstat and don't forget lsof as a tool. – Marianna – 2014-11-24T18:32:43.870

I ended up using the following:

grep -r "$command" $(ls -l /proc/$pid/cwd | awk '{ print $11 }') | awk -F: '{ print $1 }'

Where $command="$(cat /proc/$pid/cmdline | sed 's\x0/ g' | sed 's/.$//')"

Which will recursively grep through the files in the directory that the script is in to find the file that contains the running nc command.

Seems kind of messy, so if anyone could help clean that up a bit that'd be great :)

Thanks for the help guys!

zer0w1re

Posted 2014-11-24T17:27:38.850

Reputation: 1