> A good rootkit will install a "ps" that won't show the 'bot
> processes. The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.
> Looking through /proc/≤pid> is probably still reliable.
Hello Grant,
I keep an old portable around, running wireshark and a flat hub.
You can set your ethernet address to 0.0.0.0 and fire up wireshark.
You can then sniff any (ethernet) segment of your network for
nefarious traffic or male-configured network applictions.
Ok, it sounds like the key to figuring this out is watching the
outgoing network traffic for weird stuff. eth0 is on the WAN and
wireless ath0 is on the local subnet. How would you monitor the
outgoing traffic considering my setup?
- Grant
