Re: process identification

From: Nik Schild (nikschild_at_gmx.net)
Date: 05/04/04

  • Next message: Stijn De Weirdt: "Re: process identification"
    Date: Tue, 04 May 2004 08:56:05 +0200
    To: security-basics@securityfocus.com
    
    

    Hi stijn

    try 'lsof -i' but this will probably not work either, because the
    attacker may have replaced all importand binaries or he may even have
    installed a root-kit.
    I guess you don't have a host based IDS to check your binaries. Try
    http://www.knowngoods.org/ to verify your binaries (for rpm systems: rpm
    -Va). Check also http://www.chkrootkit.org/ for root-kit detection. If
    you don't make any progess boot from a trusted CD and investigate again.

    good luck
    Nik

    Stijn De Weirdt wrote:
    > hello,
    >
    > i have a computer that has been (succesfully :( ) attacked, and i'm
    > currently checking how 'they' did it. the computer has an open port with a
    > listening ftp-server, but there is no matching PID with netstat. so here's
    > the question: how do i get the process-id?
    >
    > some data:
    > the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)
    >
    > 'netstat -vapt' output:
    > Proto Recv-Q Send-Q Local Address Foreign Address State
    > PID/Program name
    > tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN
    > -
    >
    > (denote the last -)
    >
    > nmap -p 81 (from another machine) gives
    > Port State Service
    > 81/tcp filtered hosts2-ns
    >
    > but telnet from the same machine gives (partly)
    > 220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.
    >
    > the ftp-server seems very highly modified, meaning that
    > 1. there isn't supposed to run one on that computer (but there is one
    > installed)
    > 2. doesn't recognise any commands like cd, ls, get,put, login...
    >
    > currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it
    > in a few days, but any advice on how to look for the server process is
    > handy. i have root access to the machine, so that's no problem.
    >
    > many thanks
    > stijn
    >
    > ---------------------------------------------------------------------------
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    > any course! All of our class sizes are guaranteed to be 10 students or less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of in-the-field
    > pen testing experience in our state of the art hacking lab. Master the skills
    > of an Ethical Hacker to better assess the security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > ----------------------------------------------------------------------------
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Stijn De Weirdt: "Re: process identification"