[CLUE-Tech] root kit checker
Jim Ockers
ockers at ockers.net
Thu May 6 10:40:02 MDT 2004
Mike:
netstat -tupan will show what process has sockets open. If it is
sending UDP packets then that might not show it. However lsof -n
will show all processes with sockets open.
If you have ethereal and your Internet connection is ethernet you
can probably watch the packets that are leaving your box using
ethereal. This will depend on your configuration.
Hope this helps,
Jim
PS That IP address is in a Microsoft/MSN IP address block,
according to ARIN WHOIS.
Mike Staver wrote:
>
> Hello everybody - I need help trying to determine what's going on with a
> linux box of mine. I have ntop running, and it's showing that this box
> is sending about 10 megs of tcp traffic an hour to an ip:
>
> 65.54.164.101
>
> The reverse dns on this is wrong I think, it claims it's part of
> msn.com, which I find hard to believe since it has no forward dns
> pointer record assigned to it. Anyhoo, I have run ps -auwx and I do not
> see any programs running that shouldn't be - and I ran nmap against the
> box looking for odd ball open ports, and that didn't show anything
> either. Tcpdump keeps showing:
>
> 10:23:08.950296 msnbot64101.search.msn.com.33839
>
> What's a good tool that will show me what process is spewing traffic to
> this ip?
> --
>
> -Mike Staver
> staver at fimble.com
> mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list