From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HGULz-0007lp-3Y for garchives@archives.gentoo.org; Mon, 12 Feb 2007 06:07:55 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1C66hak016833; Mon, 12 Feb 2007 06:06:43 GMT Received: from observed.de (observed.de [81.169.134.89]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1C62X27012190 for ; Mon, 12 Feb 2007 06:02:33 GMT Received: (qmail 19900 invoked by uid 508); 12 Feb 2007 06:47:13 +0100 Received: from acb2537f.ipt.aol.com (HELO ?192.168.178.26?) (172.178.83.127) by observed.de with SMTP; 12 Feb 2007 05:47:13 -0000 Message-ID: <45D002F1.5060404@observed.de> Date: Mon, 12 Feb 2007 07:02:25 +0100 From: Paul Sebastian Ziegler User-Agent: Thunderbird 1.5.0.9 (X11/20061224) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Did I just get hacked??? References: <49bf44f10702101827k199bf270yfb65ed1f4f5195e0@mail.gmail.com> <1171165124.381.9.camel@blackwidow.nbk> <8d634f4f0702102006w78f419acp14ddc64a8652693d@mail.gmail.com> <49bf44f10702111631q757afb4x865b48e7bbffdb62@mail.gmail.com> In-Reply-To: <49bf44f10702111631q757afb4x865b48e7bbffdb62@mail.gmail.com> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by robin.gentoo.org id l1C66hb0016833 X-Archives-Salt: 7ecb5f92-b976-4af9-a5b2-aff182e32520 X-Archives-Hash: aa7721695f85e3cd8b8978c674613a20 Hi Grant, personally (but this is by far only ONE possible setup for your task) I'd advise you to connect eth0 to wan through a box set up as a bridge (try brctl). If that box has a good wireless card and good drivers (this mostly means "if that box isn't running Windows") you can also put that wireless-card into promiscuous mode lock it to your chanel and ssid and feed wireshark your WEP-Key or WPA-PSK for decryption. If not, then you'll have to use a second box for the wireless sniffing. BTW. current rootkits won't just replace ps or some other tools. Good rootkits do not run in userspace; they run in kernelspace. They directly intercept the function-calls. Just another thing to keep in mind while trying to scan for them. hth Paul Grant schrieb: >> > A good rootkit will install a "ps" that won't show the 'bot >> > processes. The one time a machine of mine got hacked, netstat >> > still worked, but I don't know why a hacked netstat couldn't be >> > installed as well. >> >> > Looking through /proc/=98pid> is probably still reliable. >> >> >> Hello Grant, >> >> I keep an old portable around, running wireshark and a flat hub. >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> >> You can then sniff any (ethernet) segment of your network for >> nefarious traffic or male-configured network applictions. >=20 > Ok, it sounds like the key to figuring this out is watching the > outgoing network traffic for weird stuff. eth0 is on the WAN and > wireless ath0 is on the local subnet. How would you monitor the > outgoing traffic considering my setup? >=20 > - Grant > =81=E9=ED=A2=8B=ACz=B8=1E=9E=DA(=A2=B8&j)b=9E bst=3D=3D --=20 gentoo-user@gentoo.org mailing list