security issue help
Jacques B.
jjrboucher at gmail.com
Wed Sep 13 22:11:18 UTC 2006
On 9/13/06, Jacques B. <jjrboucher at gmail.com> wrote:
> Do a netstat -an to see what ports are listening. Typical IRC traffic
> is TCP ports 6667, 6668, 6669. If you see listening on one of those
> ports yet are not running IRC, good indicator. Botnets can run on
> alternate ports in the meantime so even if you don't see listening on
> those ports, it doesn't mean you are in the clean. You can also check
> running processes (ps - aux) to look for any suspicious processes.
> The top command can also be of assistance in seeing what processes are
> running. ntop (see http://www.ntop.org/) is another tool you could
> use to examine network traffic. And running wireshark (formerly
> ethereal) to capture traffic to attempt to identify suspicious network
> activity. You can install wireshare from extras I believe, as well as
> wireshark-gnome (actually if you yum install wireshark-gnome,
> wireshark should get installed as a dependancy).
>
> Of course the check rootkit tool is another one that can be very helpful.
>
> Good luck,
>
> Jacques B.
>
>
Before people jump on my for top posting on that last one, it was not intended.
You can also try checking your arp table using the arp command. That
would show you IPs & MAC address (arp = address resolution protocol)
that would normally only get populated if your system connected to
that IP (arp poisoning could populate it also).
Jacques B.
More information about the fedora-list
mailing list