Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

View currently open network connections UNIX
Do you *know* what ports you have open on your machine or your server? Do you know what processes are communicating with what machines on the net, and as which user? If you are curious about these things, this script might be for you!

This is a bash-script that runs in the background (via launchd) and gathers information about what currently open network connections your machine have, both outgoing and incoming (listening) ports. It does so every two minutes. When the script is run by root, it gathers the data; when run as any other user it displays the data.

You can use this in conjunction with GeekTool to always see the data on your screen. Here is the script:
#!/bin/bash
# Script to install open_ports.sh
# 2011-05-05 / Peter Mˆller, Datavetenskap, LTH
# Location: 
# http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports_install.sh


# Make sure the user is "root"
if [ ! "$USER" = "root" ] ; then
  echo "Must be run by root!"
  echo "Exiting..."
  exit 1
fi

# BINDIR points to the "binary"
BINDIR="/usr/bin"
# PREFIX points to where all the datafiles are stored
PREFIX="/Library/cs.lth.se/OpenPorts"
# IP_CACHE is a growing list of IP-addresses and their geo location. 
# Since this is being used by other scripts, it's not in the OpenPorts directory
IP_CACHE="/Library/cs.lth.se/ip_cache.txt"
# EXTERN stores the computers "external" address. Checked hourly
EXTERN="$PREFIX/ExternIP.txt"
# FILE4 stores current IPv4-ESTABLISHED connections. Generated every two minutes!
FILE4="$PREFIX/ip4.txt"
# FILE6 stores current IPv6-ESTABLISHED connections. Generated every two minutes!
FILE6="$PREFIX/ip6.txt"
# FILE_LISTEN stores current LISTEN connections. Generated every two minutes!
FILE_LISTEN="$PREFIX/listen.txt"
# CHECKSUM stores a sha1-checksum for the lsof-binary. Cheched every two houres
CHECKSUM="$PREFIX/Checksum.txt"
# IP_LOCATE_CACHE is a temporary file that stores the geo location of the computers external address
IP_LOCATE_CACHE="$PREFIX"/ip_locate_cache.txt


# Fetch and launch the launchd-component
echo "Fetching launchd-component"
curl -o /Library/LaunchDaemons/se.lth.cs.open_ports.plist http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/se.lth.cs.open_ports.plist
chmod 644 /Library/LaunchDaemons/se.lth.cs.open_ports.plist
launchctl load /Library/LaunchDaemons/se.lth.cs.open_ports.plist
launchctl start se.lth.cs.open_ports
echo
echo

# fetch the script
echo "Fetching main script"
ScriptName="open_ports.sh"
curl -o /tmp/${ScriptName} http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/${ScriptName}
curl -o /tmp/${ScriptName}.sha1 http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/${ScriptName}.sha1
if [ "$(openssl sha1 /tmp/${ScriptName} | awk '{ print $2 }')" = "$(less /tmp/${ScriptName}.sha1)" ]; then
  mv /tmp/${ScriptName} ${BINDIR}/${ScriptName}
  chmod 755 ${BINDIR}/${ScriptName}
else
  echo "Checksum does NOT match!! Installation aborted!"
  exit 1
fi
echo
echo

# Create the directory for the files and set the access rights
mkdir -p "$PREFIX"
chmod 755 "$PREFIX"
touch "$FILE4" "$FILE6" "$IP_CACHE" "$IP_LOCATE_CACHE"
chmod 666 "$FILE4" "$FILE6" "$IP_CACHE" "$IP_LOCATE_CACHE"

echo "Done installing base parts of \"open_ports.sh\". Now proceeding to install GeekTool"
echo

echo "Fetching GeekTool"
# Get GeekTook
curl -o /tmp/GeekTool.dmg http://update.tynsoe.org/geektool3/Public/GeekTool%203.0.dmg
hdiutil mount /tmp/GeekTool.dmg
open /Volumes/GeekTool\ 3/
say "Done installing base parts of open ports. Now you will have to install GeekTool yourself"

exit 0
Installation
  • Save the install script.
  • Start Terminal.
  • Become root: if you are a normal user, type sudo adminusernamne and then sudo -i; if you are an admin user, type sudo -i.
  • Set access rights for the install script: chmod 755 open_ports_install.sh (you must locate it).
  • Run the script: ./open_ports_install.sh.
  • The installation is normally quick. It ends with GeekTool being opened. To install it, double-click its .PrefPane
  • In GeekTool: click the icon named "Shell" and drag it to an empty part of the desktop (must be free of windows). Size it as well.
  • A "Properties" window opens. What you need to enter is:
    • Command: open_ports.sh
    • Refresh every: 120 s
    • Change font to a monospace one (I'm using Menlo and white font color)
  • Now you may close GeekTool
Note that GeekTool doesn't move things around if you change the number of monitors (for instance a portable computer with external displays). It will, however be visible again when you restore the monitor setting.

Also note that the script will start automatically after a reboot.

Update the script

The script auto-updates once per week. You can also update the script manually by running, as root, the following command in a terminal window:

open_ports.sh -u

It will fetch the latest version of the script and install it (if it is different that what you have). If you already have the latest version it will tell you!

You'll find the script and further information here.

Oh, and it runs on Linux as well (the exact same script -- different installer though). It also updates itself every two weeks if there's a new version available.

[crarko adds: I haven't tested this one.]
    •    
  • Currently 1.26 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (19 votes cast)
 
[10,611 views]  

View currently open network connections | 21 comments | Create New Account
Click here to return to the 'View currently open network connections' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
View currently open network connections
Authored by: fracai on Jul 07, '11 08:26:11AM

What's the deal with the hints that basically consist of a script which retrieves and installs assets as the root user? The was at least one other of these a few weeks ago.

Also, part of the open port script makes reference to www.whatismyip.com, but uses their outdated automation URL.

A simpler way to list your open ports is "lsof -i", grep for LISTEN to filter out other files and ESTABLISHED to narrow this down to just the open connections. Other tools like "netstat" are useful here as well.

---
i am jack's amusing sig file



[ Reply to This | # ]
View currently open network connections
Authored by: Sesquipedalian on Jul 07, '11 08:49:57AM

Specifically, the command would be lsof -i | grep -E "(LISTEN|ESTABLISHED)". Just clarifying for those not familiar with regular expressions.

And I agree that there is no need to run a root process just to do this.

[ Reply to This | # ]

View currently open network connections
Authored by: gidds on Jul 07, '11 12:32:46PM

Actually, it may be worth running lsof as root (e.g. by prefixing the command with sudo), because otherwise, it'll only show connections to processes running as your user.

But I fully agree with the principle; a simple task like this shouldn't need fancy scripts, and installing something like that as root, especially if it auto-updates, could be extremely dangerous.

---
Andy/


[ Reply to This | # ]
View currently open network connections
Authored by: BiL Castine on Jul 07, '11 10:11:57AM

furthermore, what's the deal with our esteemed moderator "crarco" almost never testing hints before posting them? isn't that his job? the original moderator "robg" tested almost every hint posted. Mac OS X Hints is an excellent asset to the community and as a cautious IT admin, I can discern the security implications of most hints, however this is a public information web site and as such should do a bit of due diligence testing the hints. otherwise, what's the point of even having a moderator?



[ Reply to This | # ]
View currently open network connections
Authored by: dzurn on Jul 07, '11 10:21:13AM
Not so good, yet another background script, running as ROOT, which automatically updates itself over the web!

I think the appropriate phrase about this security setup would be, "straining at Gnats but swallowing Camels." This cure could be worse than the disease.

Please use the lsof command in the comments above, instead.

---
Madness takes its toll.
Please have exact change.


[ Reply to This | # ]
View currently open network connections
Authored by: maxz on Jul 07, '11 10:38:23AM
CAUTION!

Even if the shell script was written with good intentions in mind, the distribution mechanism combined with the fact that it runs as root makes this "hint" questionable at best, just as the previous commenters have pointed out.

If you are new to or not familiar with shell scripting it is a daunting task to follow what the installed script does, so it is hard to verify what it does after installing it, making this a possible attack vector for malware.

As a hint, publishing the installer script instead of the installed script is not a service to the readers, unless we want to learn how to make "installers", but the hint was about learning to monitor open ports.

I second the previous posters in every aspect and think that this hint should never have passed moderation in its current form, even with every good intention it comes with.



[ Reply to This | # ]
View currently open network connections
Authored by: Quatch on Jul 07, '11 11:14:25AM

Why is it submitted by anonymous but with a full name in the script header comments?



[ Reply to This | # ]
View currently open network connections
Authored by: amaloney on Jul 07, '11 11:47:36AM

Does the WhoIsConnected widget do the same thing?
http://oxorr.com/apps/?1



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 10:18:53PM

Not, not really, but close! This was a really interesting one – thanks!



[ Reply to This | # ]
View currently open network connections
Authored by: theosib on Jul 07, '11 11:56:16AM

This hint is basically a trojan. It seriously needs to be redacted!



[ Reply to This | # ]
View currently open network connections
Authored by: babbage on Jul 07, '11 06:55:29PM

All of these replies are correct — this hint is a REALLY TERRIBLE IDEA, and should be redacted. Running a script as root to download & install network-scanning software from some random person's possibly sketchy Scandinavian server? Are you insane? NO NO NO.

If you want a non-insane way to do this, here's one that will work on any Mac, by leveraging the stroke command line tool embedded in every copy of Network Utility:

$ cd /Applications/Utilities/Network\ Utility.app/Contents/Resources
$ ./stroke 
2011-07-07 21:44:43.728 stroke[80012:903] stroke address startPort endPort
$ ./stroke localhost 0 1000
Port Scanning host: 127.0.0.1

	 Open TCP Port: 	22     		ssh
	 Open TCP Port: 	80     		http
	 Open TCP Port: 	88     		kerberos
	 Open TCP Port: 	139    		netbios-ssn
	 Open TCP Port: 	445    		microsoft-ds
	 Open TCP Port: 	548    		afpovertcp
	 Open TCP Port: 	631    		ipp
$ 

You can have that scan any address you like, and if you use it a lot, you can even symlink it to somewhere in your $PATH so that you don't have to type that all our every time:

$ sudo ln -s /Applications/Utilities/Network\ Utility.app/Contents/Resources/stroke /usr/local/bin/

That way, you can run stroke address startPort endPort and it will just work. And if you want to get fancy and build up something that runs it from cron or launchd or whatever, good for you.

But for Pete's sake, please don't ever follow the advice in this hint and download & run the garbage that got published here today.

---
--
DO NOT LEAVE IT IS NOT REAL


[ Reply to This | # ]
View currently open network connections
Authored by: babbage on Jul 07, '11 07:49:22PM

ADDENDUM:

Having now looked at Peter Moller's site, and read over the source of his scripts, it's not *that* bad.

Moller is a systems administrator at Lund University in Sweden. (I'll give the uni the benefit of the doubt & assume they don't have a criminal working as their sysadmin.) The output from the script does include a lot of information that isn't really as simple as just displaying the output from stroke or lsof or netstat. In my day job, I have to help manage a bunch of Linux servers, and having a display something like this would be pretty useful to me.

But the scripts make some serious, serious mistakes.

• You can't just run the thing and see the output in a Terminal window like a normal Unix script — you *must* run it through GeekTool.

• If you try to look at the source of the script while it's running, it will refuse to run, because the `vi open_ports.sh` command will show up among your running processes, and it halts when it sees this. (It's possible this is a bug rather than intentional obfuscation — obviously you can get around it by linking the file to another name and just working with the other version in the text editor.)

• If you try to modify the script, it will refuse to run, because it does an SHA checksum on itself, compared to a version downloaded from the author's site. (Then again, you could just comment out the checksum & exit code.)

• As another commenter noted, it's using a deprecated means to communicate with a Geo-IP lookup service that's of questionable utility anyway. Unless you're using this script to maintain a log of your travels, chances are you don't need this in the first place.

• By checking in with the author's web server, the program is effectively spyware, as it's recording an unnecessary log of where you've been and what software you've been running, and regularly phoning home back to the author's site. The current version does not appear to send personal information back, but given that the script has an auto-update mechanism built in, there is no guarantee about what future versions may do with this info.

Basically, if there were a version of this script that just ran like a normal Unix command and looked up this info and displayed it like this, that wold be pretty handy. And if it wanted to have an optional update function THAT YOU CAN CONTROL, then that would be acceptable too — most software comes with some kind of update notification framework these days, that's not controversial. And if you could turn off the logging &/or the location lookups, even better.

But the original point that I & others made still stands. Unless you personally know & trust Mr Moller, these scripts as designed & written should not be considered. A version that fixed some of these problems, sure, that could be handy, but it would be almost as easy to just write it from scratch as it would to wait for an alternate version of this that wasn't so frightening.

---
--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 12:22:55PM

Wow! Lots of opinions! :-)

>Having now looked at Peter Moller's site, and read over the source of his scripts, it's not *that* bad.
Well, thank you!


>Moller is a systems administrator at Lund University in Sweden. (I'll give the uni the benefit of the doubt & assume they don't have a criminal working as their sysadmin.)
I have been a sysadmin here for some 20 years now, and no, no criminal charges! :-) But I understand you guys; I probably would have been sceptic about this too. But look at the script, it's fairly simple and, I hope, well commented!

>The output from the script does include a lot of information that isn't really as simple as just displaying the output from stroke or lsof or netstat. In my day job, I have to help manage a bunch of Linux servers, and having a display something like this would be pretty useful to me.
I have it running on a bunch of servers at the dept. and on one machine, it immediatley informed me that a whole bunch of clients still used it's SMB-service (which they shouldn't have)


One general comment first: the script *must* run as root or you will only see your own network connections. One aspect of this script is to help find installed spyware/malware (and this is not one); those rarely run as *you*! Only seeing one users aspect of a UNIX computer is almost completely useless in a general view. So, root. Unfortunatley. Sorry, guys.


>• You can't just run the thing and see the output in a Terminal window like a normal Unix script — you *must* run it through GeekTool.
Nope. If you read the instructions, you see that run as root, the script generates the data and run as any other user (i.e. your normal account) it displays the data. Try it yourself! GeekTool just displays what would have been viewed in a Terminal window. This is how I run it under Linux.


>• If you try to look at the source of the script while it's running, it will refuse to run, […]
Yes, I know. Then again, I didn't consider it important enugh to fix. Since the geo lookup can take some time, I didn't want it to launch copy after copy after copy of the script. I write it in TextWrangler and that doesn't make any problem.


>• If you try to modify the script, it will refuse to run, because it does an SHA checksum on itself, compared to a version downloaded from the author's site. (Then again, you could just comment out the checksum & exit code.)
Nope, absolutely not. The checksum is *only* used to verify the “new” script when updating.


>• As another commenter noted, it's using a deprecated means to communicate with a Geo-IP lookup service that's of questionable utility anyway. […]
True. Two points, though:
1. I included it mostly because I found it to be intruiging
2. But having it and starting to look at the data, I realised that this kind of information is coming big time (throught different
means, though). If nothing else, the Ad industry is highly into this and both iOS and OS X now have location manager
(see this URL for instance: http://developer.apple.com/library/ios/#documentation/CoreLocation/Reference/CLLocationManager_Class/CLLocationManager/CLLocationManager.html)


>• By checking in with the author's web server, the program is effectively spyware, as it's recording an unnecessary log of where you've been and what software you've been running, and regularly phoning home back to the author's site.
Nope. Absolutely *not*. No information of any kind is transmitted from the client of open_ports.sh to the web-server — or any other server of any kind that I have or am aware of. Naturally, the apache web-server logs your visit in the normal way but nothing whatsoever more than that. Read the script!
There is a local logging that I included mostly to see how the computers idea of where in the world I have been matches where I have actually been, but it is not needed or even used in any way (or communicated in any way to anyone).


>[…] And if it wanted to have an optional update function THAT YOU CAN CONTROL, then that would be acceptable too — most software comes with some kind of update notification framework these days, that's not controversial.[…]
Ok, I hear it loud and clear: people don't want auto update, so I will most probably turn it of in the next version and instead have the script perform the chek (if there is a new version) and *inform* the user that there is a new version ready to be fetched.


>But the original point that I & others made still stands. Unless you personally know & trust Mr Moller, these scripts as designed & written should not be considered.
I guess I would have been wary as well. But now I'm me and find this quite useful at work, so I thought I should share it.



[ Reply to This | # ]
View currently open network connections
Authored by: S Barman on Jul 07, '11 08:48:54PM

You can also download and use nmap from nmap.org. Nmap does more probing and is a really nice tool!



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 10:56:37PM

While “stroke” is a nice thing (that I didn't know about), it by no means does what open_ports.sh does.

/Peter
(author of open_ports.sh)



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 08, '11 10:24:07PM

No it's not a trojan: it's an installer script (I don't really know why the installer-script got published in the hint). The script itself if by no means a trojan.



[ Reply to This | # ]
View currently open network connections
Authored by: metiure on Jul 07, '11 01:15:59PM

Here is a good command line for Geektool:

lsof -i | grep -E "(LISTEN|ESTABLISHED)" | awk '{print $1 " " $8 " " $9 }'



[ Reply to This | # ]
View currently open network connections
Authored by: peterhoneyman on Jul 07, '11 03:45:27PM

comma is your friend

lsof -i | grep -E "(LISTEN|ESTABLISHED)" | awk '{print $1, $8, $9}'



[ Reply to This | # ]
View currently open network connections
Authored by: peterhoneyman on Jul 07, '11 03:42:49PM

i would not run this in a million years! it runs as root, downloads a script from some web site, then executes it. OMG! OMG!



[ Reply to This | # ]
View currently open network connections
Authored by: PeterMoller on Jul 13, '11 01:20:44PM

Hi!

(Does anyone read such an old article?)

Anyhow, here it goes. I'm the author of open_ports.sh and would just like to mention a few things:

1. The auto-update has been removed
2. When data is generated, there is output to that effect (it will clutter the console log, but hey)
3. For an image of how it looks, please look at: http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports.sh_sample_output.png
4. To just look at the script, head over to:
http://fileadmin.cs.lth.se/cs/Personal/Peter_Moller/scripts/open_ports.sh
Datafiles in /Library/cs.lth.se bill be created but nothing will be installed!! You can look at the script beforehand and then run it manually (as root or edit the script at line 327 or thereabout) to see for yourself.

I repeat: NOTHING will be transmitted to any of my servers apart from a normal apache-log entry when you (eventually) update. I have created “open_ports.sh” to the best of my abilities but there may always be bugs (and new features will introduce new ones…)



[ Reply to This | # ]
View currently open network connections
Authored by: Michelasso on Aug 24, '11 06:53:40AM

Now, I made the big mistake to run your script. Nice one to download and install unrequested things in the /usr/bin directory. So the question is simple: How do I uninstall everything? At least you could put a clean option on that!!



[ Reply to This | # ]