[Cialug] `lsof +L1`

Kenneth Younger kyounger at gmail.com
Wed Oct 12 17:25:43 CDT 2011


http://danielmiessler.com/study/lsof/

I was reading through this very interesting post about `lsof` and one of the
last items he mentioned was `lsof +L1`. The author said this about it:

"lsof +L1 shows you all open files that have a link count less than 1, often
indicative of a cracker trying to hide something"

So (of course) I tried running it myself, and found that I had quite a few
results. I tried reading through the man page of lsof, but I'm still not
understanding what the "link count" is, and specifically why it matters
and/or could be an indicator of malicious activity.

Thoughts?

Thanks,
-Kenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cialug.org/pipermail/cialug/attachments/20111012/71c63255/attachment.html>


More information about the Cialug mailing list