[clue-tech] rootkit detection
Jim Ockers
ockers at ockers.net
Tue Nov 1 13:21:14 MST 2005
Hi Jeff,
Another invaluable command is lsof -n which lists all open filehandles
including network sockets and even listeners.
Even if netstat is lying to you lsof might tell the truth, unless of
course the rootkit disabled lsof.
Not sure if that's available for unixes other than Linux.
Hope this helps,
Jim
--
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/
Dan Harris wrote:
>
>
> On Nov 1, 2005, at 6:36 AM, Bruce Ediger wrote:
>
> > On Tue, 1 Nov 2005, Jeff Cann wrote:
> >
> >
> >> I used rkhunter which showed no problems.
> >
> > Just keep an eye on that machine. Rootkits tend to make "ls" and "ps"
> > act funny. The rootkit I found wouldn't show files with "01" in the
> > names. Recompile "ls" and "ps" from scratch, see if they agree
> > with the stock "ls" and "ps" output.
> >
>
> I would add to that an invaluable command:
>
> netstat -tap
>
> This shows you all network connections and to which port and pid they
> are associated. I have detected malicious programs by first noticing
> any unusual activity on the ports. For some reason, all the rootkits
> I've seen have not replaced netstat with a version that lies to you,
> although ps and ls are usually the first to be overwritten.
>
> -Dan
>
> _______________________________________________
> CLUE-tech mailing list
> CLUE-tech at cluedenver.org
> http://cluedenver.org/mailman/listinfo/clue-tech
>
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list