From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HGM9y-0000WT-Fz for garchives@archives.gentoo.org; Sun, 11 Feb 2007 21:22:58 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1BLLhRE001825; Sun, 11 Feb 2007 21:21:43 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1BLH1Af028600 for ; Sun, 11 Feb 2007 21:17:01 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id D9AF8649D1 for ; Sun, 11 Feb 2007 21:17:00 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.553 X-Spam-Level: X-Spam-Status: No, score=-2.553 required=5.5 tests=[AWL=0.046, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLumOMFCNZL4 for ; Sun, 11 Feb 2007 21:16:53 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 69542649FA for ; Sun, 11 Feb 2007 21:16:52 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1HGM3m-0003Hu-Kp for gentoo-user@gentoo.org; Sun, 11 Feb 2007 22:16:34 +0100 Received: from buffer.net ([24.73.161.102]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Feb 2007 22:16:34 +0100 Received: from wireless by buffer.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Feb 2007 22:16:34 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: Did I just get hacked??? Date: Sun, 11 Feb 2007 21:16:19 +0000 (UTC) Message-ID: References: <49bf44f10702101827k199bf270yfb65ed1f4f5195e0@mail.gmail.com> <1171165124.381.9.camel@blackwidow.nbk> <8d634f4f0702102006w78f419acp14ddc64a8652693d@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: main.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 24.73.161.102 (Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.9) Gecko/20070110 SeaMonkey/1.0.7) Sender: news Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by robin.gentoo.org id l1BLLhRS001825 X-Archives-Salt: bed739e1-0141-4643-9ce5-0b086c58820e X-Archives-Hash: 9e2425c13271df32e58b3f7cc9474315 Grant Edwards visi.com> writes: > A good rootkit will install a "ps" that won't show the 'bot > processes. The one time a machine of mine got hacked, netstat > still worked, but I don't know why a hacked netstat couldn't be > installed as well. > Looking through /proc/=E2=89=A4pid> is probably still reliable. Hello Grant, I keep an old portable around, running wireshark and a flat hub. You can set your ethernet address to 0.0.0.0 and fire up wireshark. You can then sniff any (ethernet) segment of your network for nefarious traffic or male-configured network applictions. hth, James --=20 gentoo-user@gentoo.org mailing list