How to detect which process is doing a port scan

I have Linux server running a unauthorized process (which I do not know the name of) which is doing a port scan from the server out to the internet.

How do I find out which process this is and kill it!

Thanks!


Look at the lsof output and track down the process that is opening a large number of possibly sequential port numbers.


If your system has been compromised there may be no possible way to identify and kill the process. Your only recourse may be to restart the machine from clean media and start your a scan/restore/rebuild.

See: Aftermath of a hack