Cesar writes:
Hi !
I'm a disquette with this utilities clean.
#mount /dev/fd0 /floppy
#cd /floppy
#./netstat -antp
Don't forget to mount "-ro" or write protect the floppy. :-)
On linux, AFASIK, "netstat" relies on /dev/net and friends not to lie to it.
This is a poor assumption on a comprimised machine, as it is possible to
intercept the reading of these devices in the kernel to filter results.
This can be done with a LKM (which are a common feature of root kits), or
perhaps by leveraging flaws in existing system calls (e.g. the old BSD
mmap() bug that let you make kernel physical memory writable could be used
to effect this, I suppose).
For a practical example of how this can work in the wild, please check out
the "knark" or "rial" root kit. Both use an LKM, BTW. Even having a safe,
staticly linked "netstat" on floppy won't save you here.
Once again, successful detection of a compromise is a multi-layered problem,
and no one tool is a silver bullet.
Ken Seefried, CISSP
