Grant, I figured I should add this note. I'm recommending AIDE as something if you get to the point where you feel like you've been hacked, you've done your post-mortem, and are ready to rebuild, upon your rebuild AIDE might prove to be handy in the future. It'd probably be useless on a system that has already been compromised. Later, Shawn On 2/12/07, Shawn Singh wrote: > > Grant, > > Maybe going forward (if you're not doing so already), one tool I've found > to be useful in the past was AIDE. While it certainly won't prevent a > break-in, it can certainly be useful when trying to find out what changed on > your system. > > Later, > > Shawn > > On 2/12/07, Paul Sebastian Ziegler wrote: > > > > Hi Grant, > > > > personally (but this is by far only ONE possible setup for your task) > > I'd advise you to connect eth0 to wan through a box set up as a bridge > > (try brctl). If that box has a good wireless card and good drivers (this > > > > mostly means "if that box isn't running Windows") you can also put that > > wireless-card into promiscuous mode lock it to your chanel and ssid and > > feed wireshark your WEP-Key or WPA-PSK for decryption. > > If not, then you'll have to use a second box for the wireless sniffing. > > > > BTW. current rootkits won't just replace ps or some other tools. Good > > rootkits do not run in userspace; they run in kernelspace. They directly > > > > intercept the function-calls. Just another thing to keep in mind while > > trying to scan for them. > > > > hth > > Paul > > > > Grant schrieb: > > >> > A good rootkit will install a "ps" that won't show the 'bot > > >> > processes. The one time a machine of mine got hacked, netstat > > >> > still worked, but I don't know why a hacked netstat couldn't be > > >> > installed as well. > > >> > > >> > Looking through /proc/pid> is probably still reliable. > > >> > > >> > > >> Hello Grant, > > >> > > >> I keep an old portable around, running wireshark and a flat hub. > > >> You can set your ethernet address to 0.0.0.0 and fire up wireshark. > > >> > > >> You can then sniff any (ethernet) segment of your network for > > >> nefarious traffic or male-configured network applictions. > > > > > > Ok, it sounds like the key to figuring this out is watching the > > > outgoing network traffic for weird stuff. eth0 is on the WAN and > > > wireless ath0 is on the local subnet. How would you monitor the > > > outgoing traffic considering my setup? > > > > > > - Grant > > > z(&j)b bst== > > > > -- > > gentoo-user@gentoo.org mailing list > > > > > > > -- > "Doing linear scans over an associative array is like trying to club > someone to death with a loaded Uzi." > Larry Wall -- "Doing linear scans over an associative array is like trying to club someone to death with a loaded Uzi." Larry Wall