Re: MD5 checksum changed

From: Tim Haynes (usenet-20040826_at_stirfried.vegetable.org.uk)
Date: 08/26/04

  • Next message: Tim Haynes: "Re: MD5 checksum changed"
    Date: Thu, 26 Aug 2004 10:05:12 +0100
    
    

    Nils Juergens <ju@isf.rwth-aachen.de> writes:

    > Jonathan L Cunningham wrote:
    >> (Oh, I also used netstat -a, to see if anything obviously wrong there.
    >> Since I'm not using a software firewall, I guess it would be much harder
    >> for any cracker to hide *all* evidence, because they'd have to be
    >> talking through existing services without breaking them.)

    *Ahem*. If you had iptables on the machine, you could be restricting access
    to the services running.

    > This is not true. The function of a rootkit is to hide these things. If
    > there is a rootkit it may have replaced the netstat binary with one that
    > hides the process and socket the attacker is using.

    Agreed.

    While I have been known to spot a rootkit's presence by netstat(1) behaving
    differently (complained about no `-p' option despite being on a RH6.2 box),
    I would prefer to rely on an external scan of all ports from another box,
    e.g. with nmap.
    Note that this will generally not find a port-knocker daemon if that's how
    the rootkit works.

    ~Tim

    -- 
    There can be only one!                      |piglet@stirfried.vegetable.org.uk
                                                |http://pig.sty.nu/Pictures/
    

  • Next message: Tim Haynes: "Re: MD5 checksum changed"