From owner-freebsd-security Thu Nov 22 1:40:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 72DFA37B418 for ; Thu, 22 Nov 2001 01:40:36 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 166qMg-00053w-00; Thu, 22 Nov 2001 11:41:50 +0200 From: Sheldon Hearn To: Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= Cc: security@freebsd.org Subject: Re: Unknown transient service 1528/tcp In-reply-to: Your message of "Thu, 22 Nov 2001 00:19:15 EST." <3BFC8AD3.8DC9E56D@videotron.ca> Date: Thu, 22 Nov 2001 11:41:50 +0200 Message-ID: <19463.1006422110@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 22 Nov 2001 00:19:15 EST, Pierre-Luc =?iso-8859-1?Q?Lesp=E9rance?= wrote: > The best way to figure out what's listening > on your computer may be netstat and sockstat. Except that the machine lies less to the outside world when it's been hacked. The netstat binary is a favourite candidate for being replaced by rootkits, as I recently discovered when our Linux firewall was hacked. Using tools on a local system that you suspect to have been hacked can be problematic, especially when the the system has been set up to periodically rewrite key system binaries. With the advent of kqueue, it's possible for things like ps, top and netstat to be rewritten every time you update them with fresh, virgin copies! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message