lsof -Pni

Occasionally I’ll run across boxes that have been root-kitted and the netstat binary has been replaced. This new binary gives you the same info every time, and is designed to hide many active connections to the box, even your own SSH session! Luckily, it seems that many rootkits neglect to replace lsof so you can use the above snippet to review all Listening and Established connections to the box.

Downside: Need to have root access to run the code

lsof +r 1 -p `ps axww | grep httpd | grep -v grep | awk ' { if(!str) { str=$1 } else { str=str","$1}}END{print str}'` | grep vhosts | grep php

This one is useful for when Apache is eating up resources and you want to try and find out which site or file is the culprit. It will show you the current working directory for the process as well at what files are currently open. If you’re using FastCGi, just replace the grep httpd with grep php-cgi or whatever the associated process name is. It assumes that you host your web-content in a vhosts directory of some sort (my use for this is on Plesk server’s so /var/www/vhosts/ so don’t forget to update the search for your scenario.

find / -noleaf -type f -size +51200k -exec ls -lh {} \; | awk '{print $5, substr($0, index($9,$NF))};'

To find the largest files, recursively from your search path. Works with directories/files that have spaces in the name. Don’t miss the single quote at the very end. Thanks to a co-worker for the awk-foo

Alter the path immediately after “find” for your search needs. To start from your current location just use . or ./ instead. This particular search will find files over 50MB(51200k). The ‘size’ parameter will also take size in megabytes(M) and you can alter the search for files over the value (+) or under the value(-).

find is one of my favorite linux commands because it’s just so versatile. The down side though is that there’s a bit of time that needs to be invested in man pages to really get to know the ins and outs of the command.