[clue-tech] rootkit detection
Dan Harris
dan at drivefaster.net
Tue Nov 1 11:34:06 MST 2005
On Nov 1, 2005, at 6:36 AM, Bruce Ediger wrote:
> On Tue, 1 Nov 2005, Jeff Cann wrote:
>
>
>> I used rkhunter which showed no problems.
>
> Just keep an eye on that machine. Rootkits tend to make "ls" and "ps"
> act funny. The rootkit I found wouldn't show files with "01" in the
> names. Recompile "ls" and "ps" from scratch, see if they agree
> with the stock "ls" and "ps" output.
>
I would add to that an invaluable command:
netstat -tap
This shows you all network connections and to which port and pid they
are associated. I have detected malicious programs by first noticing
any unusual activity on the ports. For some reason, all the rootkits
I've seen have not replaced netstat with a version that lies to you,
although ps and ls are usually the first to be overwritten.
-Dan
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list