Wes Bateman wrote:
> 
> 
> If you really don't trust the box, then in addition to the nmap scan, I
> wouldn't trust anything the running kernel told you (or told your
> userspace tools like ps, netstat, etc.).  Rather, I'd boot from trusted
> media (like a rescue disk) or pull the drive and mount it in a trusted
> host.  Then you can really be certain that what you see is what you
> get/have ;)  But that's me, YPMV (your paranoia may vary) ;D
> 
---
If you really don't trust the box, the solution is even simpler - back
up data - reload. I hope that what you meant to say was, if you are
suspicious.
---
> I might also throw a sniffer on the network(s) that the host is connected
> to and capture all traffic for a period.  Then you could see illicit icmp,
> udp, ecp, etc. traffic going on, in addition to the tcp stuff you scanned
> for with nmap.  You could scan udp with nmap...but that can take a
> painfully long time :)  UDP has no way to say "rst" on its own ;)  Anyhow,
> if you do sniff the traffic, you probably want a snaplen of 1514 or so
> (1500 MTU for ethernet, plus the 14 bytes for the ethernet frame
> header).  If it's a real busy network segment, then you might not be able
> to do that.  In that case you could set a snaplen of 96 or something and
> get all the headers, and a little peak at the contents.  Of course, when
> you see something interesting on the wire, you'll be kicking yourself for
> not having the whole packets.  Ah, the trials and tribulations of a
> network voyeur ;D
> 
---
a network voyeur 'eh?  Sounds rather deprecated.

Thanks Wes, for the great explanation, I am continually learning and
there are some really great resources on this list.

Craig