Re: MD5 checksum changed
From: Tim Haynes (usenet-20040826_at_stirfried.vegetable.org.uk)
Date: 08/26/04
- Previous message: Sandro Mangovski: "Re: Dos attack"
- In reply to: Nils Juergens: "Re: MD5 checksum changed"
- Next in thread: Jonathan L Cunningham: "Re: MD5 checksum changed"
- Reply: Jonathan L Cunningham: "Re: MD5 checksum changed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 26 Aug 2004 10:05:12 +0100
Nils Juergens <ju@isf.rwth-aachen.de> writes:
> Jonathan L Cunningham wrote:
>> (Oh, I also used netstat -a, to see if anything obviously wrong there.
>> Since I'm not using a software firewall, I guess it would be much harder
>> for any cracker to hide *all* evidence, because they'd have to be
>> talking through existing services without breaking them.)
*Ahem*. If you had iptables on the machine, you could be restricting access
to the services running.
> This is not true. The function of a rootkit is to hide these things. If
> there is a rootkit it may have replaced the netstat binary with one that
> hides the process and socket the attacker is using.
Agreed.
While I have been known to spot a rootkit's presence by netstat(1) behaving
differently (complained about no `-p' option despite being on a RH6.2 box),
I would prefer to rely on an external scan of all ports from another box,
e.g. with nmap.
Note that this will generally not find a port-knocker daemon if that's how
the rootkit works.
~Tim
--
There can be only one! |piglet@stirfried.vegetable.org.uk
|http://pig.sty.nu/Pictures/
- Previous message: Sandro Mangovski: "Re: Dos attack"
- In reply to: Nils Juergens: "Re: MD5 checksum changed"
- Next in thread: Jonathan L Cunningham: "Re: MD5 checksum changed"
- Reply: Jonathan L Cunningham: "Re: MD5 checksum changed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
