Re: Rootkit discovery tools

[David Boyer <David () BVU EDU>]

you run netstat -nao from the command line on the computer whose ports
you want to scan.

Computer Management is an MMC snapin for Windows.

> > > caroline () POBOX UPENN EDU 8:42 AM 6/27/2006 >>>
Hey Dave,

I saw this post on the security list and I had some questions about
it.


Quoting David Taylor <ltr () ISC UPENN EDU>:
[snip]
> Do a netstat -nao on the local machine and then do a remote port scan
with a
> tool such as nmap.  If something shows up in the nmap scan that
doesn?t show
> as listening on the netstat there is likely a rootkit.

How would do this kind of scan? Would you have the computer on the
network and
scan the ip with nmap or do something else so the computer is not live
on the
network?

> Also, connecting the the remote system with computer manager will let
you
> see hidden services.  Open the services on the local machine and
compare to
> the remote listing.  This goes for the registry as well

Not sure what you mean by this? Can you explain? I don't know what
computer
manager is. There is Computer Management, part of admin tools in
control panel,
that lets you see local services running? How do you look at services
remotely?

Thanks for answering these questions if you can, and if you have the
time. I
always want to learn new things. Even if the system usually gets
rebuilt anyway. :)

Caroline

--
College House Computing
3702 Spruce St.
215.573.3887
ITSS for DuBois

"Fairy Tales are more than true; not because they tell us that dragons
exist,
but because they tell us that dragons can be beaten." -- G. K.
Chesterton