Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] netstat-output
  • From: Alexander Reelsen <ar@xxxxxxxx>
  • Date: Tue, 5 Dec 2000 13:09:54 +0100
  • Message-id: <20001205130954.A17321@xxxxxxxxxxxxxxxxx>
Hi

On Tue, Dec 05, 2000 at 12:38:20PM +0100, Martin Geigl wrote:
> (Not all processes could be identified, non-owned process info
> will not be shown, you would have to be root to see it all.)
>
> But I was root!
> My question now is, is this a standard comment of netstat or is there a
> "hidden" program running, which even root can't see (e.g. some trojan
> horse)?
alex@joker:~# strings $(which netstat ) | egrep "(processes|shown)"
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)

So, this string is definitely included in the netstat binary. However you
cannot be sure whether you weren't compromised. What you could is to
compile a new (best case is static) binary of netstat (better is lsof :)),
to copy it to the system and execute it (like lsof -i) to check if the
system has been trojaned.

However this behaviour is not normal, if you have an idea why this is spit
out though you are root, mail it to the list.


MfG/Regards, Alexander

--
Alexander Reelsen http://joker.rhwd.de
ref@xxxxxxxxx GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB
ar@xxxxxxxx 7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C
Securing Debian: http://joker.rhwd.de/doc/Securing-Debian-HOWTO

< Previous Next >
References