How to tell what process has a specific port open on Linux?

Solution 1:

As well as Netstat, mentioned in other posts, the lsof command should be able to do this just fine. Just use this:

lsof -i :<port number>

and all of the processes should come up. I use it on OS X quite frequently.

Debian Administration article for lsof

Solution 2:

Warning: Your system is compromised.

The tool you need is lsof, which will list files (and sockets and ports). It is most likely installed, and it is most likely the attacker's version, which means it will lie to you.

This is indeed a rootkit. I have seen this behavior before, and it is always a rootkit. Your system is compromised, and any tools you are using that originate from the same machine cannot be trusted. Boot into a Live CD (which has read-only trusted binaries) and use that to extract your data, settings, etc. Any programs you had, any scripts you had, abandon them. Do not bring them. Treat them, and the system, as if they have leprosy, because they do.

Once you're done, nuke it from orbit.

Game over man, game over.

Do this as soon as possible. Oh, and unplug your network connection - deny your attacker access.


Solution 3:

sudo netstat -lnp  

Lists ports that are listening for incoming connections and the associated process that has the port open.


Solution 4:

netstat -anp

The "-p" tells it to list the process-ID that has the port open. The -an tells it to list listening ports and don't resolve names. On busy systems that can greatly speed up how fast it returns.

netstat -anp | grep "LIST"

That'll just give you the open ports.


Solution 5:

If you can't see the port open with operating system tools and you suspect an intrussion it could be that a rootkit has been installed.

The rootkit could have changed systems tools to avoid certain processes and ports or changed kernel modules.

You can check for rootkit with several automated tools. 'apt-cache search rootkit' shows the following in Ubuntu:

chkrootkit - rootkit detector
rkhunter - rootkit, backdoor, sniffer and exploit scanner
unhide - Forensic tool to find hidden processes and ports

If you happen to have a rootkit you can revert the 'changed' to your system but I recommend that you find out how the intrussion was made and harden the system for it not to repeat.


They are not exclusive to Ubuntu, you can use them in CentOS too. Just look for the package or download it from their page.


By the output from that port it seems you're running pcanywhere indeed: "�Ы� <Enter>" is very similar to "Please press <Enter>" which is pcanywhere welcome message. I don't know why the process doesn't show up in the process list. Are you root?

You can try rebooting to see if it's a one time process running, as well.