[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] netstat -plven
- Subject: Re: [cobalt-security] netstat -plven
- From: "Paul Gillingwater" <paul@xxxxxxxxxxx>
- Date: Wed, 14 Mar 2001 19:44:59 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Jeff Lovell <jlovell@xxxxxxx> said:
> On Wed, 14 Mar 2001, Kai Schantz, Euroweb wrote:
>
> > This netstat i took right now:
> >
> > [root@www admin]# netstat -plven
>
> do not trust netstat on the box. this is almost always on
> of the first things replaced to hide the existance of open
> ports. use an external port scanner on your box such as
> nmap <http://www.insecure.org/nmap/>.
Quite right. I've recovered a few systems from rootkits,
and netstat is certainly one of the utilities that is often
replaced by crackers. Also replaced are:
ps -- hides nasty processes
netstat -- hides network connections
ls -- hides nasty files
telnetd -- hacked version of telnet with back door
If you suspect an attack, a quick check is the date stamps of
binaries. Try this:
ls -salt /bin /usr/bin /sbin /usr/sbin | more
and look for recent changes. You can do the same thing with
directories, or find with the mtime option.
In any case, seek expert help, e.g.
http://www.cert.org/security-improvement/practices/p096.html
Often innocuous utilities are replaced by compromised versions.
--
*********************************
Paul Gillingwater
Managing Director
CSO Lanifex Unternehmensberatung
& Softwareentwicklung G.m.b.H.
NEW BUSINESS CONCEPTS
E-mail: paul@xxxxxxxxxxx
Telnum: +43/1/21 98 222
Mobile: +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2
A-1020 Vienna, Austria
*********************************