-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21.01.2012 01:12, Grant wrote: >>> If the machine is running linux, then 'watch "lsof -n|grep >>> TCP|grep 3680"' as root is a sloppy but effective way to find >>> it. There's probably some way to set up a firewall rule on the >>> host in question that logs out the user and (possibly) PID of >>> the connection, but I don't know. >> >> "lsof -i" is easier, it only shows network connections :) >> >> catching it when it happens (if it is very briefly connected) >> could be hard with lsof... Maybe setup a tarpit firewall rule on >> that box so the connection stays open for a long time. > > The connections are only attempted a few times throughout the day. > Is a tarpit firewall rule the only way to do this? Can anyone tell > me what package 'watch' belongs to if that would work? > > - Grant > I get:
equery b watch * Searching for watch ... net-irc/irssi-0.8.15-r1 (/usr/share/irssi/help/watch) sys-process/procps-3.2.8_p11 (/usr/bin/watch) x11-themes/gnome-themes-standard-3.3.4 (/usr/share/cursors/xorg-x11/Adwaita/cursors/watch) First and third can be ruled out, I think. So one candidate remains: sys-process/procps Available versions: 3.2.8 (~)3.2.8-r1 3.2.8-r2 (~)3.2.8_p10-r1 3.2.8_p11 {unicode} Installed versions: 3.2.8_p11(00:15:18 22.12.2011)(unicode) Homepage: http://procps.sourceforge.net/ Description: Standard informational utilities and process-handling tools -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPGghBAAoJEJwwOFaNFkYc22gH/1hx7MQb/exllk3GhkQSQes/ P6XFg/8dJy3Kag0FReAN/xN6or9SHPHXgUiVUsN+XIYV6Vt94Gbm/ZUHfwkzckJG DP3/z+pQ0E0+xle32Gabo5Hpt47chgzsThdyghVkWVefMqQdkJwJPGwHcQ3yCzC5 LIXgZzmKoPUx5I9BaFnl/KkxRGbtTDYieWdpaxkOPjHiMZ+8wDPO6XDfhSggJPdR 4hMFik2B/04s7OTlqA9Qfvk1PZszSPnFN5t4Ick1PHwi/ZesobJGR5eeBlUfq5av Y9STFvDojCAo3Mjf2IiXWCP8j8Fs9e7ToXvwmhn55t4XjS0v9Y+qhq8B3IsSl7o= =gaPQ -----END PGP SIGNATURE-----