Re: [SLUG] slowdown

From: Eben King (eben01@verizon.net)
Date: Fri Feb 15 2008 - 16:38:26 EST


On Wed, 13 Feb 2008, ronan wrote:

>>> Don't forget that much of the point to a rootkit is that the tools that
>>> you would use to diagnose your system have been altered to help hide to
>>> rootkit. There might be processes and connections that your tools aren't
>>> showing you.
>>
>> Hmm. What can I use to find out if there's something untoward going on? I
>> can wait until the network _should_ be idle, kill all daemons netstat
>> lists, and then see what the router says is happening.
>
> There are tools (chkroot??) that can detect some known rootkits. You could
> also copy-in some known-good binaries (top, ps) from another machine, and run
> those. Of course, if the rootkit hid itself by changing /proc instead of
> changing the tools, that wouldn't help. I've never had to deal with this
> before, anyone else?

OK. I killed all daemons with open ports (using /etc/init.d/* so they come
up nicely), and there's still some network traffic, not much, but a little.
It is inbound in bursts, around 700-750 bytes every ~10 seconds (on
gkrellm's strip chart they're always the same size and very regular; the
uncertainty is mine). No idea what they're from -- a SMB client looking for
its server? Hang on, I'll go shut down the XP box... nope, still here, same
size. Put the laptop to sleep? Nope, not it. Maybe the router?

-- 
-eben   QebWenE01R@vTerYizUonI.nOetP   royalty.mine.nu:81

This message was created using recycled electrons. ----------------------------------------------------------------------- This list is provided as an unmoderated internet service by Networked Knowledge Systems (NKS). Views and opinions expressed in messages posted are those of the author and do not necessarily reflect the official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:01:49 EDT