nanog mailing list archives

Re: Security Guideance

From: Curtis Maurand <cmaurand () xyonet com>
Date: Wed, 24 Feb 2010 08:03:23 -0500

On 2/23/2010 5:38 PM, Nathan Ward wrote:

Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely to not work if there's a rootkit on the 
box. The whole point of a rootkit is to hide processes and files from these tools.

Get some statically linked versions of these bins on to the server, and hope they haven't patched your kernel.

See if you can get a binary of busybox which has those tools and they'reall contained in the binary. It should run from any folder.


http://busybox.net

Very handy.

--Curtis

Current thread:

RE: Security Guideance, (continued)
- - RE: Security Guideance Matt Sprague (Feb 23)
    - Message not available
    - Re: RE: Security Guideance Paul Bosworth (Feb 23)
    - Re: Security Guideance Michael Holstein (Feb 23)
    - Re: Security Guideance Chris Adams (Feb 23)
    - RE: Security Guideance Adam Stasiniewicz (Feb 23)
    - Re: Security Guideance Aaron L. Meehan (Feb 24)
  - Re: Security Guideance Dan White (Feb 23)
    - Re: Security Guideance acv (Feb 23)
    - Re: Security Guideance Nathan Ward (Feb 23)
    - RE: Security Guideance Joe (Feb 23)
    - Re: Security Guideance Curtis Maurand (Feb 24)
- Re: Security Guideance LaDerrick H. (Feb 23)
- Re: Security Guideance David Freedman (Feb 23)
- RE: Security Guideance Joe Conlin (Feb 23)
- Re: Security Guideance Nate Itkin (Feb 23)
  - Re: Security Guideance Valdis . Kletnieks (Feb 23)
    - Re: Security Guideance Joel Esler (Feb 23)
- RE: Security Guideance Express Web Systems (Feb 23)
- Re: Security Guideance Gadi Evron (Feb 23)
- Re: Security Guideance Laurens Vets (Feb 24)
- Re: Security Guideance Bill Stewart (Feb 24)