On Tue, 29 May 2001, Ken Seefried wrote:
> Tim Haynes writes:
> >
> > <sigh> Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.
> >
> > Go back to
> > sudo netstat -plan | grep LIST
>
> Well...that would be incorrect. If you have been cracked, or suspect you
> might have, then you cannot completely rely on the output of netstat, ps,
> lsof, etc. Many of the rootkits I've seen quite effectively hide themselves
> behind trojan utilities and shared libs, making detection by such casual
> methods as you indicate difficult.
Which is why nmap would be useful if you've been cracked: because you can
scan yourself from *another* *box* (which is how you're supposed to use
nmap).
Tim is just saying that if you *haven't* been cracked, use netstat instead
of nmap.
--
Hubert Chan
Research Associate
Prediction in Interacting Systems (MITACS-PINTS)
University of Alberta
Office: CAB 522
Ph: 492-4394
e-mail: [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
