find malicious code scanning smb port

Question

The admin of my network said our server is trying to scan port 445. We use our server for two reasons. 1. A web server, 2. Gateway for our colleague's laptop.

How can I find the malicious code? How can I know whether it is running in our server?

@Mokubai, CentOs 7 is running on the server – rahram Dec 31 '17 at 08:09 — rahram, Dec 31 '17 at 08:09
That information should be in your question. – Mokubai Dec 31 '17 at 12:08 — Mokubai, Dec 31 '17 at 12:08

score 0 · Accepted Answer · answered Dec 31 '17 at 08:42

If the malicious process has bound to the port you might be able to identify said process with netstat -ltnp | grep 445. From there you can use ps ax | grep YOUR_PID to map the process ID returned by the netstat to actual running code.

If that doesn't work for you then you could install Fail2Ban (not a bad idea even if you weren't having the problems you are having) and let it figure out what keeps scanning that port. FYI, port 445 is used by Samba, so focus on things related to file sharing to narrow down your issue quickly.

find malicious code scanning smb port

1 Answers1