You can also map that socket file descriptor to an actual connection/socket by running (as root):
netstat -eepan | grep 2898922
// @hal_pomeranz
Let's investigate a suspicious Linux process to see what files it has open. Malicious processes often have open files that can lead you onto them. Commands:
cd /proc/<PID>/fd
ls -al
#DFIR
2
10
33
I'm also a big fan of lsof, which is available on most Linux distros-- "lsof -p <pid>" or "lsof -c <cmd>"
Jan 4, 2021 · 11:01 PM UTC
2
12