Grant, Maybe going forward (if you're not doing so already), one tool I've found to be useful in the past was AIDE. While it certainly won't prevent a break-in, it can certainly be useful when trying to find out what changed on your system.
Later, Shawn On 2/12/07, Paul Sebastian Ziegler <[EMAIL PROTECTED]> wrote:
Hi Grant, personally (but this is by far only ONE possible setup for your task) I'd advise you to connect eth0 to wan through a box set up as a bridge (try brctl). If that box has a good wireless card and good drivers (this mostly means "if that box isn't running Windows") you can also put that wireless-card into promiscuous mode lock it to your chanel and ssid and feed wireshark your WEP-Key or WPA-PSK for decryption. If not, then you'll have to use a second box for the wireless sniffing. BTW. current rootkits won't just replace ps or some other tools. Good rootkits do not run in userspace; they run in kernelspace. They directly intercept the function-calls. Just another thing to keep in mind while trying to scan for them. hth Paul Grant schrieb: >> > A good rootkit will install a "ps" that won't show the 'bot >> > processes. The one time a machine of mine got hacked, netstat >> > still worked, but I don't know why a hacked netstat couldn't be >> > installed as well. >> >> > Looking through /proc/≤pid> is probably still reliable. >> >> >> Hello Grant, >> >> I keep an old portable around, running wireshark and a flat hub. >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> >> You can then sniff any (ethernet) segment of your network for >> nefarious traffic or male-configured network applictions. > > Ok, it sounds like the key to figuring this out is watching the > outgoing network traffic for weird stuff. eth0 is on the WAN and > wireless ath0 is on the local subnet. How would you monitor the > outgoing traffic considering my setup? > > - Grant > │ИМ╒▀╛z╦ ·з(╒╦&j)b· bst== -- gentoo-user@gentoo.org mailing list
-- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall
