On 2/23/2010 5:38 PM, Nathan Ward wrote:
Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely
to not work if there's a rootkit on the box. The whole point of a rootkit is to
hide processes and files from these tools.
Get some statically linked versions of these bins on to the server, and hope
they haven't patched your kernel.
See if you can get a binary of busybox which has those tools and they're
all contained in the binary. It should run from any folder.
http://busybox.net
Very handy.
--Curtis
