" All compromised systems talk to the Internet to dump data or route spam."
yup, this is 1000% true and utterly foolproof. On Mon, Jul 16, 2012 at 2:48 PM, Gary Baribault <g...@baribault.net> wrote: > I suggest one of the first answers was the good one, intercept the traffic > routed to the internet with TCPDump. Filter out the normal traffic and see > what's left. All compromised systems talk to the Internet to dump data or > route spam. Be patient, some systems talk all the time, some once an hour .. > but you will find some unexplained traffic. Once you do find that you're > infected, don't bother cleaning up the system, format and restore the data! > > Gary Baribault > Courriel: g...@baribault.net > GPG Key: 0x685430d1 > Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 > > On 07/16/2012 09:40 AM, valdis.kletni...@vt.edu wrote: > > On Sat, 14 Jul 2012 12:46:50 -0000, "Ali Varshovi " said: > > Most of the materials I've seen are more aligned to malware and rootkit > detection which is not the only concern apparently. > > It's hard to say what else to check without knowing what other concerns > you're checking for, and what data sources are available (I'm thinking about > auditd and friends, but there's other data sources as well). > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/