Jeff Lovell <[EMAIL PROTECTED]> said:
> On Wed, 14 Mar 2001, Kai Schantz, Euroweb wrote:
>
> > This netstat i took right now:
> >
> > [root@www admin]# netstat -plven
>
> do not trust netstat on the box. this is almost always on
> of the first things replaced to hide the existance of open
> ports. use an external port scanner on your box such as
> nmap <http://www.insecure.org/nmap/>.
Quite right. I've recovered a few systems from rootkits,
and netstat is certainly one of the utilities that is often
replaced by crackers. Also replaced are:
ps -- hides nasty processes
netstat -- hides network connections
ls -- hides nasty files
telnetd -- hacked version of telnet with back door
If you suspect an attack, a quick check is the date stamps of
binaries. Try this:
ls -salt /bin /usr/bin /sbin /usr/sbin | more
and look for recent changes. You can do the same thing with
directories, or find with the mtime option.
In any case, seek expert help, e.g.
http://www.cert.org/security-improvement/practices/p096.html
Often innocuous utilities are replaced by compromised versions.
--
*********************************
Paul Gillingwater
Managing Director
CSO Lanifex Unternehmensberatung
& Softwareentwicklung G.m.b.H.
NEW BUSINESS CONCEPTS
E-mail: [EMAIL PROTECTED]
Telnum: +43/1/21 98 222
Mobile: +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2
A-1020 Vienna, Austria
*********************************
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
