Firewall Wizards mailing list archives
Re: OT? New compromise.
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Sat, 31 Mar 2007 16:21:26 -0400
Date: Fri, 30 Mar 2007 13:09:58 -0500 From: Frank Knobbe <frank () knobbe us> Subject: Re: [fw-wiz] OT? New compromise. To: Firewall Wizards Security Mailing List <firewall-wizards () listserv icsalabs com> Cc: firewall-wizards () listserv cybertrust com Message-ID: <1175278198.40136.36.camel@localhost> Content-Type: text/plain; charset="us-ascii" On Thu, 2007-03-29 at 17:12 -0400, Mike Barkett wrote:On Windows /c:\netstat -an |find /i "listening"/There are tools like openports or the sysinternals set you mayWindows: netstat -aon Linux: netstat -apnOf course all these tools only work if the application uses the OS'es IP stack. Any decent rootkitted malware, that puts it's on packets on the wire and sniffs the responses promiscuously, won't show up in those lists. You can see the packets with tcpdump/sniffers, but won't be able to correlate them back to an application (unless you do some CPU utilization sample and correlate that with the observed network traffic, but you'd need to be able to see the app in the first place, so if it's hidden by a rootkit, that won't help you either). Just because nothing shows up in netstat doesn't mean that there isn't an application promiscuously listening for data to that port. Regards, Frank
True, a rootkit is one possible explanation. In this case the traffic has already been spotted on the network and thus requires explanation at the host. Therefore, a netstat showing nothing is just as informative as one that shows something bogus, which is just as informative as one that shows the actual running application. Every outcome requires further digging anyway. It is just one more data point that is only as valuable as the skill level of the security professional analyzing it. -MAB _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: OT? New compromise. Mike Barkett (Apr 03)