I tried a Chrome extension I ran into on reddit. It runs mitm proxy behind the screen. Then at an occasion, I had to run a proxy for my work purposes, but I found port 8080 is already taken. It turned out tamper keep mitm proxy running even when it’s disabled (not the extension but through the switch given in tamper). This is how I found out which application was using port 8080.
lsof can be used to check which process owns a particular port
lsof -S -i <protocol>:<port> tells which process has the port assigned to it
For example,For example,
lsof -i TCP:8080 -S
Running above command shows output like this:
Python 15125 channi 3u IPv4 0xb1b0493c89f7e78f 0t0 TCP *:http-alt (LISTEN)
Now in next step we can use
ps to identify how the Python process with pid
15125 was started
ps can be used to know the command with which the process was executed
lsof command we got the pid of the process which owns port 8080. Now we want to know how that process was started so we can have a better idea about the intention of the process.
On Mac OS, we use
ps -A | grep 15125 for getting that, same command on Linux is
ps -aux | grep 15125.
15125 is the pid of the process we got in previous step using
ps -A | grep 15125 give us this output on OS X:
So now we see the process is started by
tamper.py python script which is using
Tamper chrome extension.
Tamper is a chrome extension that uses mitm proxy to allow us tamper HTTP(S) requests. So this is not apparently a security breach.