[Nottingham] Paranoid already
Robert Davies
nottingham at mailman.lug.org.uk
Sun Aug 17 15:45:01 2003
On Sunday 17 Aug 2003 14:02, Lee wrote:
> > I also find running "netstat -tpan" pretty useful as it'll tell you which
> > program is listening on which port and detail any active connections.
> > Particularly useful for checking for backdoors and other nasties :)
>
> Hmm, if you box has been rooted well, then you can't trust tools like
> netstat or ps, unless your using tripwire (on a remote host) to verifiy
> file integrity, I think I heard the gnu site got hacked the other day,
> and certain packages 'replaced' with dubious copies..probably had some
> backdoor code injected them(!).
They say that they were verifying the files with known good MD5SUMS, and
removed all source which couldn't be verified so far.
Lee's right about not trusting utilities like netstat to 'prove' an abscence
of daemons listening after penetration. They are useful however before the
fact to check on what services your machine is running, you might need to
adjust your firewall rules.
Don't forget UDP to, netstat -t shows only TCP/IP listeners, and you ought to
check UDP/IP as well with netstat -utlp.
Rob
Rob