[clue-tech] rootkit detection
Nate Duehr
nate at natetech.com
Tue Nov 1 16:47:47 MST 2005
Jim Ockers wrote:
>Hi Jeff,
>
>Another invaluable command is lsof -n which lists all open filehandles
>including network sockets and even listeners.
>
>Even if netstat is lying to you lsof might tell the truth, unless of
>course the rootkit disabled lsof.
>
>Not sure if that's available for unixes other than Linux.
>
>Hope this helps,
>Jim
>
>
>
Another thing to remind anyone doing this stuff where they think the
machine has been compromised is that ANY of these binaries for these
commands could easily have been replaced with trojan horse versions.
It's best to run these from known-good media... preferrably read-only
like a Knoppix CD or similar. Knoppix might be a bad example since it
now uses the Unison filesystem and things can be "virtually overwritten"
in RAM. Best to use a CD that doesn't have that "feature" for security
analysis.
Nate
_______________________________________________
CLUE-tech mailing list
CLUE-tech at cluedenver.org
http://cluedenver.org/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list