-
March 8th, 2005, 09:19 PM
#11
Junior Member
The MAC matches, but if my host is compromised, shouldn't I be seeing a ton of open connections when I do 'netstat -l'? It's generating about 100 packets/second, so you would think that I would have that many open high-number ports waiting for replies.
\"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
- William F. Buckley Jr.
-
March 8th, 2005, 09:22 PM
#12
The MAC matches the firewall is what I hear you saying.....
You wouldn't see anything awry in the netstat if there is a user level or kernel level rootkit on the box hiding the activity from you.
Before we make the assumption that there is a rootkit there I would like the opinion of some others here.....
ANYONE?????
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
March 8th, 2005, 09:47 PM
#13
I think I posted this once before, its an old trick, but that's an old box ...
Log into the firewall box and type the command
grep :x:0: /etc/passwd
The ONLY line you should see is
“ root:x:0:0:root:/root:/bin/bash “
May or may not tell you if you've been cracked, but if you see more then one ....
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
March 8th, 2005, 11:44 PM
#14
Junior Member
Solved. It appears that two machines on my network had Sasser. The reason the connections weren't showing in netstat was because I just wasn't using the right switches. This is my gateway device, and also NATs my private IPs. I needed to issue netstat -M to show masqueraded connections. As soon as I did that, it showed me the internal IPs that were scanning for 445. I patched and cleaned them, and we're back in business. Thanks for your time, everyone.
\"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
- William F. Buckley Jr.
-
March 9th, 2005, 12:25 AM
#15
Bingo!!!!!
I'll award myself 8 smartie points for not trusting your original analysis, not knowing crap about *nix and asking for further advice from the better qualified on *nix before trying to come to a conclusion......
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|