On Fri, Jan 20, 2012 at 5:27 PM, Michael Mol <mike...@gmail.com> wrote: > If the machine is running linux, then 'watch "lsof -n|grep TCP|grep > 3680"' as root is a sloppy but effective way to find it. There's > probably some way to set up a firewall rule on the host in question > that logs out the user and (possibly) PID of the connection, but I > don't know.
"lsof -i" is easier, it only shows network connections :) catching it when it happens (if it is very briefly connected) could be hard with lsof... Maybe setup a tarpit firewall rule on that box so the connection stays open for a long time.
