[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] rootkit?
On Friday 02 January 2004 6:51 am, Sascha Cunz wrote:
> > I checked it from home, using nmap (which isn't installed of the
> > maschine in question). I thought it might be safer to check from
> > outside.
> > Hm, haven't thought of this yet. I'll have to check this with our
> > ISP, thanx for the advice.
> netstat -anp
> on the box in question, will show you soon what it is listening on
> and also assign a proccess to a) each existing connection and b)
> each listened-for connection.
Any tool on the suspect box has to be treated with caution, IME.
It's always handy to keep a few staticly-compiled binaries of things
like ps and find and chkrootkit and sash - say - on a CD-R; if you
suspect a compromise, put them on the suspect box and see if they
give you anything more than the usual results.
(I find the various arguments of 'find' to be useful 'find -atime' or
'find -mtime' - any half-clued kiddie will modify the timestamps, but
there's often something that doesn't get changed and can give you
- it should go without saying that the binaries need to be compiled
for a system appropriate to your suspect box!
Additionally, lsof (http://www-rcd.cc.purdue.edu/~abe/) is invaluable
for this sort of thing.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here