How to find out the full path of the command from the result of lsof -i

fileslsofprocesssmtp

lsof is a great utility, just now started using it.

lsof -i | grep smtp => this give the following result.

httpd.pl  212548          global    3u  IPv4 893092369      0t0  TCP server07.host...blah...

In the above example, httpd.pl is perl script, which sends spam emails.

How can I know the full path of the command. i.e in the above result, I want to know the full path of httpd.pl

I tried searching in home dir, the file httpd.pl is not there.
and also, I tried with lsof -p PID, this also does not give the path to it.

Is there any way, I can get the full path of that file ?

Note: This kind of problem is very common in shared hosting environment. So, it will be very useful for shared hosting or any web server administrator.

Best Answer

One way could be to examine the files opened by that process. Of the types shown in the FD column of lsof:

FD         is the File Descriptor number of the file or:

               cwd  current working directory;
               ...
               txt  program text (code and data);

So, try:

lsof -a -d txt -p 212548

For scripts, this does show the path of the interpreter used (such as /bin/bash). For shell scripts, the script file seemed to be open on fd 255 on my system, but for Perl scripts, there was no mention of the script file at all in lsof output.

Related Solutions

Under AIX, how can I get the full path of a program bound to a port

As recommended by IBM: use lsof -i -n and look for port XY. If you want parseable output from lsof, use the -F flag and parse the output with awk.

You can get pre-compiled binaries for AIX V5. I don't know if there are pre-compiled binaries for V6; if there aren't, get the source and compile it.

How to interpret this output of lsof command

COMMAND     PID     USER   FD   TYPE DEVICE SIZE/OFF     NODE NAME
webalizer 32342 ctxmortg    5uW  REG   8,17    12288 32890954 /home2/ctxmortg/tmp/webalizer/eyebestdatedotcomauph.ctxmortgagemortgagerefi.com/dns_cache.db

FD - File Descriptor

If you are looking for file being written, look for following flag

# - The number in front of flag(s) is the file descriptor number of used by the process to associated with the file
u - File open with Read and Write permission
r - File open with Read permission
w - File open with Write permission
W - File open with Write permission and with Write Lock on entire file
mem - Memory mapped file, usually for share library

So 3r means webalizer has a descriptor number 3 associated with ...dns_cache.db, with read permission.

TYPE - File Type

In Linux, almost everything are files, but with different type.

REG - REGgular file, file that show up in directory
DIR - Directory

NODE

inode number in filesystem

You can find complete details in the man page.