Hosting Provided By

Re: hidden processes

From: Erik Vincent <evincent(at)ndexsystems.com>
Date: Thu Jul 31 2003 - 10:16:22 EDT

You can try to use the lsof command and check between your ps output. You cant also check in your /proc filesystem.

If you have another server with the same OS version, you can try to do an md5sum on your ps and netstat command. This will show you if those command have been modify by the hacker.....

A nice thing to do on your unix box, is to have some command burn on CDROM. Command like md5sum, ps, grep, ls, netstat, lsof etc....

If your system get hacker and binnaries are replace, you can use command burn on your CDROM and your are sure to use non modify version of it. Or use a ready only filesystem.....

This is my 0.02$ CDN cents...

On Wed, 2003-07-30 at 17:28, Vlady wrote:
> Hi,
> One of my mashines is hacked and chkrootkit-0.40 tells me that I have 3

Received on Thu Jul 31 13:13:04 2003

This message: [ Message body ]
Next message: Don Cassiano: "Unpatched IE security holes"
Previous message: Birl: "Re: Encrypted File Systems"
In reply to Vlady: "hidden processes"
Next in thread: Birl: "Re: hidden processes"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:06:44 EDT

Do you need help?