Printable View
The MAC matches, but if my host is compromised, shouldn't I be seeing a ton of open connections when I do 'netstat -l'? It's generating about 100 packets/second, so you would think that I would have that many open high-number ports waiting for replies.
The MAC matches the firewall is what I hear you saying.....
You wouldn't see anything awry in the netstat if there is a user level or kernel level rootkit on the box hiding the activity from you.
Before we make the assumption that there is a rootkit there I would like the opinion of some others here.....
ANYONE?????
I think I posted this once before, its an old trick, but that's an old box ...
Log into the firewall box and type the command
grep :x:0: /etc/passwd
The ONLY line you should see is
“ root:x:0:0:root:/root:/bin/bash “
May or may not tell you if you've been cracked, but if you see more then one ....
Solved. It appears that two machines on my network had Sasser. The reason the connections weren't showing in netstat was because I just wasn't using the right switches. This is my gateway device, and also NATs my private IPs. I needed to issue netstat -M to show masqueraded connections. As soon as I did that, it showed me the internal IPs that were scanning for 445. I patched and cleaned them, and we're back in business. Thanks for your time, everyone.
Bingo!!!!!
I'll award myself 8 smartie points for not trusting your original analysis, not knowing crap about *nix and asking for further advice from the better qualified on *nix before trying to come to a conclusion...... :cool: