On Mon, Mar 31, 2003 at 10:29:48AM +1000, Paul Hampson wrote:
> > If lose is found on the system
> > /usr/lib/tiger/systems/Linux/2/check_listeningprocs uses the
> > command:
> >
> > $LSOF -nPi | $GREP "IPv" | $GREP -v "\->" | $AWK '{printf("%s %s %s
> > %s\n", $1, $3, $7, $8)}' | $SORT | $UNIQ |
> >
> > It seems that it should `grep LISTEN` as well. No. See below. > > > > Comments? > > I would guess that only TCP sockets get 'LISTEN' but I don't > know the output of lsof to confirm this. > Precisely. TCP sockets get 'LISTEN' UDP sockets don't, try starting a udp service (echo, chargen are fine) and check lsof's output. Tiger initial version did "grep LISTEN" instead of the "grep -v \"->\"" (to remove ESTABLISHED connections) but it would not detect UDP trojans that way. Regards Javi
pgpEMYGcu8qG2.pgp
Description: PGP signature
