[Cialug] `lsof +L1`
Guy Helmer
ghelmer at palisadesystems.com
Wed Oct 12 17:36:44 CDT 2011
On UNIX and similar systems, files can exist in the filesystem without a filename (specifically known as a "link") pointing to them, as long as those files are held open by a process.
Usually this happens when a program opens a temporary file in /tmp or /var/tmp and then deletes (unlinks) it. The program can continue to use the file, and then when the file is closed, it completely disappears.
As you mention, it can also be useful for a process that wants to hide its data from the admin. However, if the process is killed or dies, whatever data that was in that file will be lost because the operating system will reclaim its inode…
Fun stuff!
Guy
On Oct 12, 2011, at 5:25 PM, Kenneth Younger wrote:
> http://danielmiessler.com/study/lsof/
>
> I was reading through this very interesting post about `lsof` and one of the last items he mentioned was `lsof +L1`. The author said this about it:
>
> "lsof +L1 shows you all open files that have a link count less than 1, often indicative of a cracker trying to hide something"
>
> So (of course) I tried running it myself, and found that I had quite a few results. I tried reading through the man page of lsof, but I'm still not understanding what the "link count" is, and specifically why it matters and/or could be an indicator of malicious activity.
>
> Thoughts?
>
> Thanks,
> -Kenny
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
--------
This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20111012/af633c27/attachment.html>
More information about the Cialug
mailing list