On 10/20/07, Les Mikesell <lesmikesell@xxxxxxxxx> wrote: > Manuel Arostegui Ramirez wrote: > > >> hi, well...i suspect that my box is sort of cracked. I'd like to know if > >> anyone can identify anything odd/remarkable reading hte netstat -p output. > >> Thank you very much. > > > > What does netstat -putan | grep -i listen show? > > What about /var/log/secure ? > > > > Note that if the box has been cracked with a typical rootkit, the > netstat program (and ps, ls, etc.) will have been replaced with versions > that don't show what is really going on. > > -- > Les Mikesell > lesmikesell@xxxxxxxxx > I don't know if a rootkit would be able to interfere with the output of the trusted binary or not. By that I mean I don't know if a compromised kernel would be able to do that. Obviously if all that is compromised are some of the binaries then yes running a trusted binary would behave properly. In such a case the solution is to go grab a trusted binary of those commands and run them (i.e. ./netstat) from the CD or thumb drive on which they reside. And scanning for the rootkit should be done from a bootable CD. Obviously doing the netstat from a bootable CD will serve no purpose to identify a rootkit unless you executed a suspect binary off the system after booting from the CD and then checking to see if it opened up a port. Jacques B.
