[CLUE-Tech] root kit checker
Dan Harris
dan at drivefaster.net
Thu May 6 10:39:22 MDT 2004
Mike Staver wrote:
> Hello everybody - I need help trying to determine what's going on with a
> linux box of mine. I have ntop running, and it's showing that this box
> is sending about 10 megs of tcp traffic an hour to an ip:
>
> 65.54.164.101
>
It's quite possible that the rootkit has overwritten all the important
binaries on the box and that the infected system is sending data out on
a common port so you might not see any "oddball" ports open at all. A
common thing would be xdcc, used for "warez" distributors.
One thing to check before reinstalling the system, which I almost always
recommend, is to try 'netstat -tap'. This will show all the ports that
are listening and which pid is bound to that port. I've seen rootkits
that overwrote netstat but overwrote with a version of netstat that
didn't support the 'p' flag. This was a clue that it had been
compromised. If it does still support it, maybe you can tell which
processes are listening, kill each pid one by one until your traffic
dies off and investigate further.
-Dan
More information about the clue-tech
mailing list