On Friday 02 January 2004 6:51 am, Sascha Cunz wrote:
I checked it from home, using nmap (which isn't installed of the maschine in question). I thought it might be safer to check from outside.
<snip>
Hm, haven't thought of this yet. I'll have to check this with our ISP, thanx for the advice.
Hi, however. netstat -anp on the box in question, will show you soon what it is listening on and also assign a proccess to a) each existing connection and b) each listened-for connection.
Any tool on the suspect box has to be treated with caution, IME. It's always handy to keep a few staticly-compiled binaries of things like ps and find and chkrootkit and sash - say - on a CD-R; if you suspect a compromise, put them on the suspect box and see if they give you anything more than the usual results. (I find the various arguments of 'find' to be useful 'find -atime' or 'find -mtime' - any half-clued kiddie will modify the timestamps, but there's often something that doesn't get changed and can give you clues.) - it should go without saying that the binaries need to be compiled for a system appropriate to your suspect box! Additionally, lsof (http://www-rcd.cc.purdue.edu/~abe/) is invaluable for this sort of thing. best wishes, Gideon Hallett.