From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HGsrX-0004lm-CK for garchives@archives.gentoo.org; Tue, 13 Feb 2007 08:18:07 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1D8Gxgw004449; Tue, 13 Feb 2007 08:16:59 GMT Received: from smtp24.orange.fr (smtp24.orange.fr [193.252.22.27]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1D8Cs9t032350 for ; Tue, 13 Feb 2007 08:12:54 GMT Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf2408.orange.fr (SMTP Server) with ESMTP id DE6831C0008A for ; Tue, 13 Feb 2007 09:12:53 +0100 (CET) Received: from relais.ch-st-julien.fr (LNeuilly-152-21-111-175.w193-253.abo.wanadoo.fr [193.253.48.175]) by mwinf2408.orange.fr (SMTP Server) with ESMTP id BF0021C00087 for ; Tue, 13 Feb 2007 09:12:53 +0100 (CET) X-ME-UUID: 20070213081253782.BF0021C00087@mwinf2408.orange.fr Received: from relais.ch-st-julien.fr (localhost [127.0.0.1]) by relais-back.ch-st-julien.fr (Postfix::smtpd) with ESMTP id A5183128E62 for ; Tue, 13 Feb 2007 09:12:51 +0100 (CET) Received: from [172.16.0.41] (unknown [172.16.0.41]) by relais.ch-st-julien.fr (Postfix::smtpd) with ESMTP id 84878128D11 for ; Tue, 13 Feb 2007 09:12:51 +0100 (CET) Message-ID: <45D171C5.2010609@ch-st-julien.fr> Date: Tue, 13 Feb 2007 09:07:33 +0100 From: "nicolas.cornu" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.13) Gecko/20070122 X-Accept-Language: fr, en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Re: Did I just get hacked??? References: <49bf44f10702101827k199bf270yfb65ed1f4f5195e0@mail.gmail.com> <1171165124.381.9.camel@blackwidow.nbk> <8d634f4f0702102006w78f419acp14ddc64a8652693d@mail.gmail.com> <49bf44f10702111958i4624e0den3d76c0db7d2a5dde@mail.gmail.com> <20070212093247.4278812c@pascal.spore.ath.cx> <49bf44f10702121005tffea02ayce436b96bf2274c0@mail.gmail.com> In-Reply-To: <49bf44f10702121005tffea02ayce436b96bf2274c0@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on relais.ch-st-julien.fr X-Spam-Level: * X-Spam-Status: No, score=1.5 required=5.0 tests=BODY_8BITS autolearn=disabled version=3.0.3 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by robin.gentoo.org id l1D8GxhC004449 X-Archives-Salt: 327d2a67-ef9f-4e9d-9907-e0a1149f7484 X-Archives-Hash: b6194df2c05162b86c691cb951cf001c Grant wrote: >> > > > A good rootkit will install a "ps" that won't show the 'bot >> > > > processes. The one time a machine of mine got hacked, netstat >> > > > still worked, but I don't know why a hacked netstat couldn't be >> > > > installed as well. >> > > >> > > > Looking through /proc/=E2=89=A4pid> is probably still reliable. >> > > >> > > >> > > Hello Grant, >> > > >> > > I keep an old portable around, running wireshark and a flat hub. >> > > You can set your ethernet address to 0.0.0.0 and fire up wireshark. >> > > >> > > You can then sniff any (ethernet) segment of your network for >> > > nefarious traffic or male-configured network applictions. >> > > >> > > hth, >> > > >> > > James >> > >> > I can see in an xfce4 panel plugin that there is constantly a small >> > amount of incoming/outgoing traffic to/from the affected system when >> > there is no reason I know of for it. netstat doesn't show anything >> > that jumps out at me although this is the first time I've really use= d >> > it. All of the current netstat connections appear to be UNIX as >> > opposed to Internet. Should I paste them in? >> > >> > - Grant >> > [Error decoding BASE64] >> nope, they're all local socket connections. What kind of traffic are >> you seeing, i mean how much? Ever heard of tcpdump? > > > I just did a fresh reboot and as soon as xfce4 was loaded I was seeing > between .2kbps and .6kbps incoming and outgoing traffic constantly in > the xfce4 panel plugin which uses /proc/net/dev. I then changed the > WPA wireless password on the router so the machine couldn't connect > and the panel plugin started reporting small bursts of > incoming/outgoing traffic instead of the constant stream. I then > updated the machine's password to match the router's new password and > the steady stream returned. > > netstat --ip reports absolutely no connections during all of this. > > Should I emerge tcpdump and run that? > > - Grant > =E2=94=82=D0=98=D0=9C=E2=95=92=E2=96=80=E2=95=9Bz=E2=95=A6=1E=C2=B7=D0=B7= (=E2=95=92=E2=95=A6&j)b=C2=B7 b > st=3D=3D Hi, You could try wireshark which is almost the same thing as tcpdump but graphical. it will help you to analyze the packets going through your interface. --=20 gentoo-user@gentoo.org mailing list