> > Another idea to help with your forensics would be to bring a netstat and > lsof > binary over to your machine and run them to see which actors are running > and > trying to get out. That could help you detect what is running on that > machine > and google your way from there.
If your kernel has been subverted then userland is irrelevant, a kit can simply hook the system calls those binaries use and return whatever it wants you to know. -- Kyle
