Re: Rootkit discovery tools

[Caroline Couture <caroline () POBOX UPENN EDU>]

Hey Dave,

I saw this post on the security list and I had some questions about it.


Quoting David Taylor <ltr () ISC UPENN EDU>:
[snip]
> Do a netstat ­nao on the local machine and then do a remote port scan with a
> tool such as nmap.  If something shows up in the nmap scan that doesn¹t show
> as listening on the netstat there is likely a rootkit.

How would do this kind of scan? Would you have the computer on the network and
scan the ip with nmap or do something else so the computer is not live on the
network?

> Also, connecting the the remote system with computer manager will let you
> see hidden services.  Open the services on the local machine and compare to
> the remote listing.  This goes for the registry as well

Not sure what you mean by this? Can you explain? I don't know what computer
manager is. There is Computer Management, part of admin tools in control panel,
that lets you see local services running? How do you look at services remotely?

Thanks for answering these questions if you can, and if you have the time. I
always want to learn new things. Even if the system usually gets rebuilt anyway. :)

Caroline

--
College House Computing
3702 Spruce St.
215.573.3887
ITSS for DuBois

"Fairy Tales are more than true; not because they tell us that dragons exist,
but because they tell us that dragons can be beaten." -- G. K. Chesterton