Hi Grant, personally (but this is by far only ONE possible setup for your task) I'd advise you to connect eth0 to wan through a box set up as a bridge (try brctl). If that box has a good wireless card and good drivers (this mostly means "if that box isn't running Windows") you can also put that wireless-card into promiscuous mode lock it to your chanel and ssid and feed wireshark your WEP-Key or WPA-PSK for decryption. If not, then you'll have to use a second box for the wireless sniffing.
BTW. current rootkits won't just replace ps or some other tools. Good rootkits do not run in userspace; they run in kernelspace. They directly intercept the function-calls. Just another thing to keep in mind while trying to scan for them. hth Paul Grant schrieb: >> > A good rootkit will install a "ps" that won't show the 'bot >> > processes. The one time a machine of mine got hacked, netstat >> > still worked, but I don't know why a hacked netstat couldn't be >> > installed as well. >> >> > Looking through /proc/≤pid> is probably still reliable. >> >> >> Hello Grant, >> >> I keep an old portable around, running wireshark and a flat hub. >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> >> You can then sniff any (ethernet) segment of your network for >> nefarious traffic or male-configured network applictions. > > Ok, it sounds like the key to figuring this out is watching the > outgoing network traffic for weird stuff. eth0 is on the WAN and > wireless ath0 is on the local subnet. How would you monitor the > outgoing traffic considering my setup? > > - Grant > │ИМ╒▀╛z╦ ·з(╒╦&j)b· bst== -- [email protected] mailing list
