Box Cracked ( Was: thank's )
Jacques B.
jjrboucher at gmail.com
Sat Oct 20 15:13:13 UTC 2007
On 10/20/07, Les Mikesell <lesmikesell at gmail.com> wrote:
> Manuel Arostegui Ramirez wrote:
>
> >> hi, well...i suspect that my box is sort of cracked. I'd like to know if
> >> anyone can identify anything odd/remarkable reading hte netstat -p output.
> >> Thank you very much.
> >
> > What does netstat -putan | grep -i listen show?
> > What about /var/log/secure ?
> >
>
> Note that if the box has been cracked with a typical rootkit, the
> netstat program (and ps, ls, etc.) will have been replaced with versions
> that don't show what is really going on.
>
> --
> Les Mikesell
> lesmikesell at gmail.com
>
I don't know if a rootkit would be able to interfere with the output
of the trusted binary or not. By that I mean I don't know if a
compromised kernel would be able to do that. Obviously if all that is
compromised are some of the binaries then yes running a trusted binary
would behave properly. In such a case the solution is to go grab a
trusted binary of those commands and run them (i.e. ./netstat) from
the CD or thumb drive on which they reside.
And scanning for the rootkit should be done from a bootable CD.
Obviously doing the netstat from a bootable CD will serve no purpose
to identify a rootkit unless you executed a suspect binary off the
system after booting from the CD and then checking to see if it opened
up a port.
Jacques B.
More information about the fedora-list
mailing list