Find history of whi...
Clear all

Find history of which services used a certain Port?

3 Posts
2 Users
Posts: 16
Active Member
Topic starter

Hi guys,
I wanted to know if i can somehow find the history of which services used which ports and when.
would like to that regarding any operating system.

Posted : 31/01/2017 5:43 pm
Posts: 376
Reputable Member

Your question is extremely broad in scope there is no one answer since operating systems do not work alike, even between windows versions that usually are quite homogeneous in functioning.

In general, there is no general logging of what service (process) is bound to what port (not 100% sure, but maby Syslog do that when starting/stopping, IF that service decides to log anything), and some systems (Unix like) you can arbitrarily - and easily, map any services to a port given sufficient privileges using INetD - and then change it back. Or even not use INETD at all and just write everything into your own ELF that uses no system resources to go online by itself (like most malware would).

However, a thing you can do before is to make a script that dump the content of LSOF (Linux) and Netstat (Windows) to list active processes that have a listening socket - but that's it. Once the process exists, there is no way to tell.

(Suppose you're finding something exploiting and injecting code into say FTPD that opens up a socket to port 80 (which would not be logged) and downloads something from a HTTP server You cannot assume that the FTP daemon used FTP go connect to the HTTP service, you have to have logs of this if you want to prove something is out of the ordinary.)

You can also dig down into access logs and see users connecting into service X which is running on port N - assuming there are any logs of that and that the software isn't lying, or manipulating the logs - which would be uncommon. Most honest software log truthfully, and most malware do not log anything, since that would be bad.

Welcome to the wonderful world of logs the biggest problem is that they are implemented by programmers who never have to investigate anything and thereby usually are worthless - or even turned off.

Just my 2 cents.

Posted : 01/02/2017 6:31 am
Posts: 16
Active Member
Topic starter

Thanks so much for the elaborate answer! much appreciated.

Posted : 05/02/2017 4:41 pm