[122960] in North American Network Operators' Group
Re: Security Guideance
daemon@ATHENA.MIT.EDU (Curtis Maurand)
Wed Feb 24 08:01:25 2010
Date: Wed, 24 Feb 2010 08:03:23 -0500
From: Curtis Maurand <cmaurand@xyonet.com>
To: nanog@nanog.org
In-Reply-To: <C1332813-516D-45BC-B881-19F9359A3099@daork.net>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 2/23/2010 5:38 PM, Nathan Ward wrote:
> Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely to not work if there's a rootkit on the box. The whole point of a rootkit is to hide processes and files from these tools.
>
> Get some statically linked versions of these bins on to the server, and hope they haven't patched your kernel.
>
See if you can get a binary of busybox which has those tools and they're
all contained in the binary. It should run from any folder.
http://busybox.net
Very handy.
--Curtis
