netbsd-help: Re: system possibly compromised

Subject: Re: system possibly compromised
To: None <hpeyerl@beer.org, michal@pasternak.w.lub.pl>
From: Roger Fischer <rgfisch@excite.com>
List: netbsd-help
Date: 02/24/2004 12:15:16

$ find /dev -type d
/dev
/dev/fd
/dev/altq

$ ls fd
0   11  14  17  2   22  25  28  30  33  36  39  41  44  47  5   52  55  58  60  63  9
1   12  15  18  20  23  26  29  31  34  37  4   42  45  48  50  53  56  59  61  7
10  13  16  19  21  24  27  3   32  35  38  40  43  46  49  51  54  57  6   62  8

$ ls altq
afm     altq    blue    cbq     cdnr    fifoq   hfsc    localq  priq    red     rio     wfq
$




 --- On Tue 02/24, Herb Peyerl < hpeyerl@beer.org > wrote:
From: Herb Peyerl [mailto: hpeyerl@beer.org]
To: michal@pasternak.w.lub.pl
     Cc: rgfisch@excite.com, netbsd-help@netbsd.org
Date: Tue, 24 Feb 2004 10:04:52 -0700
Subject: Re: system possibly compromised 

Tue, 24 Feb 2004 17:51:49 +0100.<br>             <20040224165149.GB27125@pasternak.w.lub.pl> <br> > Check out for listening sockets using netstat -an | grep LISTEN, for example.<br><br>Lots of rootkits wrap netstat, ps, du, ls, etc, to filter out evidence<br>of their existance. Look for strange directories in /dev using 'echo *'<br>and/or "find /dev -type d"<br><br>You're probably best off booting from a NetBSD CD and grovelling through<br>the machine.<br><br>

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!