Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: process identification

From: Nik Schild <nikschild () gmx net>
Date: Tue, 04 May 2004 08:56:05 +0200
Hi stijn
try 'lsof -i' but this will probably not work either, because the attacker may have replaced all importand binaries or he may even have installed a root-kit. I guess you don't have a host based IDS to check your binaries. Try http://www.knowngoods.org/ to verify your binaries (for rpm systems: rpm -Va). Check also http://www.chkrootkit.org/ for root-kit detection. If you don't make any progess boot from a trusted CD and investigate again. 

good luck
Nik

Stijn De Weirdt wrote:
hello, i have a computer that has been (succesfully :( ) attacked, and i'm currently checking how 'they' did it. the computer has an open port with a listening ftp-server, but there is no matching PID with netstat. so here's the question: how do i get the process-id? 

some data:
the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)
'netstat -vapt' output: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN - 

(denote the last -)

 nmap -p 81 (from another machine) gives
Port       State       Service
81/tcp     filtered    hosts2-ns

but telnet from the same machine gives (partly)
220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.

the ftp-server seems very highly modified, meaning that
1. there isn't supposed to run one on that computer (but there is one installed) 
2. doesn't recognise any commands like cd, ls, get,put, login...
currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it in a few days, but any advice on how to look for the server process is handy. i have root access to the machine, so that's no problem. 

many thanks
stijn

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------





---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: