Lots of great info, Wes! Thanks! Wanna give a presentation on security sometime? :-) ~M On Sat, 22 Dec 2001, Wes Bateman wrote: > Hey Carl: > > As was mentioned before, netstat can help you. > > netstat -l > > or, I like to do > > netstat -nap > > the -p is helpful to tell you what process is bound to that > "listening" port > > lsof can also be helpful (especially if somebody trojaned your netstat, > but didn't think about lsof :) > > If you really don't trust the box, then you might want to go ahead and > nmap it from another, trusted host. You might want to include the full > range of ports, as nmap will default to only scanning 1-1024 and ports > listed in nmap's (rather comprehensive) services file. People like to > bind rogue services to all sorts of weird port numbers, usually high > numbered, as non-stateful firewalls often allow connections to ephemeral > ports. > > Also, always good to see what's in a ps axf command, and maybe what lurks > in your startup scripts and cron. > > If you really don't trust the box, then in addition to the nmap scan, I > wouldn't trust anything the running kernel told you (or told your > userspace tools like ps, netstat, etc.). Rather, I'd boot from trusted > media (like a rescue disk) or pull the drive and mount it in a trusted > host. Then you can really be certain that what you see is what you > get/have ;) But that's me, YPMV (your paranoia may vary) ;D > > I might also throw a sniffer on the network(s) that the host is connected > to and capture all traffic for a period. Then you could see illicit icmp, > udp, ecp, etc. traffic going on, in addition to the tcp stuff you scanned > for with nmap. You could scan udp with nmap...but that can take a > painfully long time :) UDP has no way to say "rst" on its own ;) Anyhow, > if you do sniff the traffic, you probably want a snaplen of 1514 or so > (1500 MTU for ethernet, plus the 14 bytes for the ethernet frame > header). If it's a real busy network segment, then you might not be able > to do that. In that case you could set a snaplen of 96 or something and > get all the headers, and a little peak at the contents. Of course, when > you see something interesting on the wire, you'll be kicking yourself for > not having the whole packets. Ah, the trials and tribulations of a > network voyeur ;D > > Good luck, > > Wes > > -- > Wes Bateman, GCIA > Chief Security Officer > ManISec, Inc. - "Managed Internet Security Services" > http://www.manisec.com > wes@manisec.com > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >