[Cialug] `lsof +L1`
Kenneth Younger
kyounger at gmail.com
Wed Oct 12 17:25:43 CDT 2011
http://danielmiessler.com/study/lsof/
I was reading through this very interesting post about `lsof` and one of the
last items he mentioned was `lsof +L1`. The author said this about it:
"lsof +L1 shows you all open files that have a link count less than 1, often
indicative of a cracker trying to hide something"
So (of course) I tried running it myself, and found that I had quite a few
results. I tried reading through the man page of lsof, but I'm still not
understanding what the "link count" is, and specifically why it matters
and/or could be an indicator of malicious activity.
Thoughts?
Thanks,
-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20111012/71c63255/attachment.html>
More information about the Cialug
mailing list