Re: MD5 checksum changed
From: Tim Haynes (usenet-20040826_at_stirfried.vegetable.org.uk)
Date: Thu, 26 Aug 2004 10:05:12 +0100
Nils Juergens <email@example.com> writes:
> Jonathan L Cunningham wrote:
>> (Oh, I also used netstat -a, to see if anything obviously wrong there.
>> Since I'm not using a software firewall, I guess it would be much harder
>> for any cracker to hide *all* evidence, because they'd have to be
>> talking through existing services without breaking them.)
*Ahem*. If you had iptables on the machine, you could be restricting access
to the services running.
> This is not true. The function of a rootkit is to hide these things. If
> there is a rootkit it may have replaced the netstat binary with one that
> hides the process and socket the attacker is using.
While I have been known to spot a rootkit's presence by netstat(1) behaving
differently (complained about no `-p' option despite being on a RH6.2 box),
I would prefer to rely on an external scan of all ports from another box,
e.g. with nmap.
Note that this will generally not find a port-knocker daemon if that's how
the rootkit works.
-- There can be only one! |firstname.lastname@example.org |http://pig.sty.nu/Pictures/