Re: [gentoo-user] Re: Did I just get hacked???

[Paul Sebastian Ziegler <psz@observed.de>]

Hi Grant,

personally (but this is by far only ONE possible setup for your task)
I'd advise you to connect eth0 to wan through a box set up as a bridge
(try brctl). If that box has a good wireless card and good drivers (this
mostly means "if that box isn't running Windows") you can also put that
wireless-card into promiscuous mode lock it to your chanel and ssid and
feed wireshark your WEP-Key or WPA-PSK for decryption.
If not, then you'll have to use a second box for the wireless sniffing.

BTW. current rootkits won't just replace ps or some other tools. Good
rootkits do not run in userspace; they run in kernelspace. They directly
intercept the function-calls. Just another thing to keep in mind while
trying to scan for them.

hth
Paul

Grant schrieb:
>> > A good rootkit will install a "ps" that won't show the 'bot
>> > processes.  The one time a machine of mine got hacked, netstat
>> > still worked, but I don't know why a hacked netstat couldn't be
>> > installed as well.
>>
>> > Looking through /proc/≤pid> is probably still reliable.
>>
>>
>> Hello Grant,
>>
>> I keep an old portable around, running wireshark and a flat hub.
>> You can set your ethernet address to 0.0.0.0 and fire up wireshark.
>>
>> You can then sniff any (ethernet) segment of your network for
>> nefarious traffic or male-configured network applictions.
> 
> Ok, it sounds like the key to figuring this out is watching the
> outgoing network traffic for weird stuff.  eth0 is on the WAN and
> wireless ath0 is on the local subnet.  How would you monitor the
> outgoing traffic considering my setup?
> 
> - Grant
> │ИМ╒▀╛z╦\x1e·з(╒╦&j)b·    bst==

-- 
gentoo-user@gentoo.org mailing list