On Sat, 9 Sep 2000, Pekka Savola wrote:
>If your system were to be remotely controllable, if would have to use
>a listening socket. Your netscape-communicator is _not_ a server process,
>so it won't show up there. And as the malicious process could be UDP too,
>I'd include -u in there, ie. -ltunp.
I use "netstat -plunt" as "plunt" is a semi-word of sorts and
easier to remember. I've got another equally easy to remember
shortcut for displaying udp and tcp processes without doing DNS
lookups and giving a continuous display readout that updates
every few seconds, but I wont tell you what it is... I'll let you
figure that one out yourself. ;o)
>Well, the exploit could be some kind of "call home every X hours" and it
>wouldn't show, but I think those are a very small minority. Also, for it
>to be really useful, the connection (if it were TCP) would have to show in
>ESTABLISHED state in -antp.
There are also covert servers such as those that destroyed Yahoo
et al. earlier this year. They are triggered by bit twiddling in
the options in IP headers and ICMP messages, sequence numbers,
etc.. and wont show up as listening servers necessarily. Mainly
because they aren't. Rather they are more of a one way
communication mechanism with no connection being established in
the traditional TCP 3 way handshake connection. I dunno how
you'd see these in netstat except perhaps as RAW socket's..
I dunno..
TTYL
--
Mike A. Harris - Computer Consultant - Capslock Consulting
Linux advocate, Open source advocate | Copyright 2000 all rights reserved
===============================================================
"A Firewall is really much like a sophisticated traffic cop; it detects and
stops unauthorized or suspicious movement in or out of the network. But
security is more than a Firewall; it's a process. You can't just put in a
Firewall and think you're secure."
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
