Firewall Wizards mailing list archives
Re: OT? New compromise.
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 30 Mar 2007 13:09:58 -0500
On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:
On Windows /c:\netstat -an |find /i "listening"/
There are tools like openports or the sysinternals set you may
Windows: netstat -aon Linux: netstat -apn
Of course all these tools only work if the application uses the OS'es IP stack. Any decent rootkitted malware, that puts it's on packets on the wire and sniffs the responses promiscuously, won't show up in those lists. You can see the packets with tcpdump/sniffers, but won't be able to correlate them back to an application (unless you do some CPU utilization sample and correlate that with the observed network traffic, but you'd need to be able to see the app in the first place, so if it's hidden by a rootkit, that won't help you either). Just because nothing shows up in netstat doesn't mean that there isn't an application promiscuously listening for data to that port. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OT? New compromise., (continued)
- Re: OT? New compromise. Stian Øvrevåge (Mar 28)
- Re: OT? New compromise. Jim Seymour (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. J. Oquendo (Mar 29)
- Re: OT? New compromise. Paul D. Robertson (Mar 29)
- Re: OT? New compromise. Victor Williams (Mar 29)
- Re: OT? New compromise. Mattias Ahnberg (Mar 29)
- Re: OT? New compromise. Mark (Mar 29)
- Re: OT? New compromise. Richard Golodner (Mar 29)
- Re: OT? New compromise. Frank Knobbe (Mar 31)