Re: MD5 checksum changed

From: Tim Haynes (
Date: 08/26/04

  • Next message: Tim Haynes: "Re: MD5 checksum changed"
    Date: Thu, 26 Aug 2004 10:05:12 +0100

    Nils Juergens <> writes:

    > Jonathan L Cunningham wrote:
    >> (Oh, I also used netstat -a, to see if anything obviously wrong there.
    >> Since I'm not using a software firewall, I guess it would be much harder
    >> for any cracker to hide *all* evidence, because they'd have to be
    >> talking through existing services without breaking them.)

    *Ahem*. If you had iptables on the machine, you could be restricting access
    to the services running.

    > This is not true. The function of a rootkit is to hide these things. If
    > there is a rootkit it may have replaced the netstat binary with one that
    > hides the process and socket the attacker is using.


    While I have been known to spot a rootkit's presence by netstat(1) behaving
    differently (complained about no `-p' option despite being on a RH6.2 box),
    I would prefer to rely on an external scan of all ports from another box,
    e.g. with nmap.
    Note that this will generally not find a port-knocker daemon if that's how
    the rootkit works.


    There can be only one!                      |

  • Next message: Tim Haynes: "Re: MD5 checksum changed"