How to tell what process has a specific port open on Linux?

I ran nmap on my server and found a strange port open. I'm trying to figure out if there is a way to map that port to a specific process but have no idea if there is such a tool.

Any suggestions?

Solution 1:

As well as Netstat, mentioned in other posts, the lsof command should be able to do this just fine. Just use this:

lsof -i :<port number>

and all of the processes should come up. I use it on OS X quite frequently.

Debian Administration article for lsof

Solution 2:

Warning: Your system is compromised.

The tool you need is lsof, which will list files (and sockets and ports). It is most likely installed, and it is most likely the attacker's version, which means it will lie to you.

This is indeed a rootkit. I have seen this behavior before, and it is always a rootkit. Your system is compromised, and any tools you are using that originate from the same machine cannot be trusted. Boot into a Live CD (which has read-only trusted binaries) and use that to extract your data, settings, etc. Any programs you had, any scripts you had, abandon them. Do not bring them. Treat them, and the system, as if they have leprosy, because they do.

Once you're done, nuke it from orbit.

Do this as soon as possible. Oh, and unplug your network connection - deny your attacker access.