[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] rootkit?



On Friday 02 January 2004 6:51 am, Sascha Cunz wrote:
> > I checked it from home, using nmap (which isn't installed of the
> > maschine in question). I thought it might be safer to check from
> > outside.
> >
<snip>
> >
> > Hm, haven't thought of this yet. I'll have to check this with our
> > ISP, thanx for the advice.
>
> Hi,
> however.
> 	netstat -anp
> on the box in question, will show you soon what it is listening on
> and also assign a proccess to a) each existing connection and b)
> each listened-for connection.

Any tool on the suspect box has to be treated with caution, IME.

It's always handy to keep a few staticly-compiled binaries of things 
like ps and find and chkrootkit and sash - say - on a CD-R; if you 
suspect a compromise, put them on the suspect box and see if they 
give you anything more than the usual results.

(I find the various arguments of 'find' to be useful 'find -atime' or 
'find -mtime' - any half-clued kiddie will modify the timestamps, but 
there's often something that doesn't get changed and can give you 
clues.)

- it should go without saying that the binaries need to be compiled 
for a system appropriate to your suspect box!

Additionally, lsof (http://www-rcd.cc.purdue.edu/~abe/) is invaluable 
for this sort of thing.

  best wishes,

    Gideon Hallett.


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here