Date: Thu, 22 Nov 2001 11:41:50 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= <oksala@videotron.ca> Cc: security@freebsd.org Subject: Re: Unknown transient service 1528/tcp Message-ID: <19463.1006422110@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Thu, 22 Nov 2001 00:19:15 EST." <3BFC8AD3.8DC9E56D@videotron.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 22 Nov 2001 00:19:15 EST, Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= wrote: > The best way to figure out what's listening > on your computer may be netstat and sockstat. Except that the machine lies less to the outside world when it's been hacked. The netstat binary is a favourite candidate for being replaced by rootkits, as I recently discovered when our Linux firewall was hacked. Using tools on a local system that you suspect to have been hacked can be problematic, especially when the the system has been set up to periodically rewrite key system binaries. With the advent of kqueue, it's possible for things like ps, top and netstat to be rewritten every time you update them with fresh, virgin copies! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19463.1006422110>