> A good rootkit will install a "ps" that won't show the 'bot
> processes. The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.
> Looking through /proc/≤pid> is probably still reliable.
Hello Grant,
I keep an old portable around, running wireshark and a flat hub.
You can set your ethernet address to 0.0.0.0 and fire up wireshark.
You can then sniff any (ethernet) segment of your network for
nefarious traffic or male-configured network applictions.
hth,
James
I can see in an xfce4 panel plugin that there is constantly a small
amount of incoming/outgoing traffic to/from the affected system when
there is no reason I know of for it. netstat doesn't show anything
that jumps out at me although this is the first time I've really used
it. All of the current netstat connections appear to be UNIX as
opposed to Internet. Should I paste them in?
- Grant
