On Sat, 9 Sep 2000, Harry Putnam wrote:
> netstat -antp |grep netscape:
>
> tcp 1 0 my.isp.address:1150 64.208.32.100:80
> CLOSE_WAIT 22565/netscape-comm
>
> Where as
> netstat -plut| grep 22565:
> (no hits)
>
> No doubt there is good reason for this but I find netstat -antp to
> give more usefull info more often.
You don't understand the difference between -antp and -lntp.
-antp shows basically all sockets and shows the processes that are using
them.
-lntp (-l is for listen, check the man page) show only sockets that are
_listening_ to the network and the corresponding processes.
If your system were to be remotely controllable, if would have to use
a listening socket. Your netscape-communicator is _not_ a server process,
so it won't show up there. And as the malicious process could be UDP too,
I'd include -u in there, ie. -ltunp.
Well, the exploit could be some kind of "call home every X hours" and it
wouldn't show, but I think those are a very small minority. Also, for it
to be really useful, the connection (if it were TCP) would have to show in
ESTABLISHED state in -antp.
--
Pekka Savola "Tell me of difficulties surmounted,
[EMAIL PROTECTED] not those you stumble over and fall"
_______________________________________________
Redhat-devel-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-devel-list
