Grant wrote:
>> > > > A good rootkit will install a "ps" that won't show the 'bot
>> > > > processes. The one time a machine of mine got hacked, netstat
>> > > > still worked, but I don't know why a hacked netstat couldn't be
>> > > > installed as well.
>> > >
>> > > > Looking through /proc/≤pid>
> > > A good rootkit will install a "ps" that won't show the 'bot
> > > processes. The one time a machine of mine got hacked, netstat
> > > still worked, but I don't know why a hacked netstat couldn't be
> > > installed as well.
> >
> > > Looking through /proc/≤pid> is probably still reliable.
>
On Mon, Feb 12, 2007 at 09:32:47AM -0600, Penguin Lover Dan Farrell squawked:
> > I can see in an xfce4 panel plugin that there is constantly a small
> > amount of incoming/outgoing traffic to/from the affected system when
> > there is no reason I know of for it. netstat doesn't show anything
> >
On Sun, 11 Feb 2007 19:58:49 -0800
Grant <[EMAIL PROTECTED]> wrote:
> > > A good rootkit will install a "ps" that won't show the 'bot
> > > processes. The one time a machine of mine got hacked, netstat
> > > still worked, but I don't know why a hacked netstat couldn't be
> > > installed as well.
Grant,
I figured I should add this note. I'm recommending AIDE as something if you
get to the point where you feel like you've been hacked, you've done your
post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to
be handy in the future. It'd probably be useless on a system th
Grant,
Maybe going forward (if you're not doing so already), one tool I've found to
be useful in the past was AIDE. While it certainly won't prevent a break-in,
it can certainly be useful when trying to find out what changed on your
system.
Later,
Shawn
On 2/12/07, Paul Sebastian Ziegler <[EMA
Hi Grant,
personally (but this is by far only ONE possible setup for your task)
I'd advise you to connect eth0 to wan through a box set up as a bridge
(try brctl). If that box has a good wireless card and good drivers (this
mostly means "if that box isn't running Windows") you can also put that
wi
> A good rootkit will install a "ps" that won't show the 'bot
> processes. The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.
> Looking through /proc/≤pid> is probably still reliable.
Hello Grant,
I keep an
> A good rootkit will install a "ps" that won't show the 'bot
> processes. The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.
> Looking through /proc/≤pid> is probably still reliable.
Hello Grant,
I keep an
Grant Edwards visi.com> writes:
> A good rootkit will install a "ps" that won't show the 'bot
> processes. The one time a machine of mine got hacked, netstat
> still worked, but I don't know why a hacked netstat couldn't be
> installed as well.
> Looking through /proc/≤pid> is probably still
On 2007-02-11, Chris Nolan <[EMAIL PROTECTED]> wrote:
> A long time ago when a LAMP box of mine got hacked.. they installed a
> program in /tmp/ that would connect to IRC
> servers. Basicly they made my box a bot. The way I found it was I
> saw outgoing IRC connections when I was in netstat loo
11 matches
Mail list logo