[wplug] port scans
Bryce Lynch
bryce at telerama.lm.com
Thu Oct 24 16:41:45 EDT 2002
On Thu, 24 Oct 2002, coldfire wrote:
> this, provided the machine has not been comprimised and netstat is indeed
> the original binary which came with the distribution :)
Very true. I was working under the assumption that he was trying to
figure out why a new application wasn't working correctly, and he wanted
to see what might be holding a port open.
> however, if you suspect the machine was comprimised, you should most
> definitely scan the machine from another trusted source using a utility
A copy of lsof that was compiled as statically linked would also be
useful.
> such as nmap. the reasoning is that if a machine is comprimised and some
> arbitrary port is opened up (such as 6667 which has been the most popular
> lately), then the attacker may have altered netstat in such a way that it
> won't report port 6667 as open even if it is.
A good many of the other binaries as well.
--
Encrypted private e-mail preferred.
public key: http://users.telerama.com/~bryce/gpg.key
'Progress over protocol.'
More information about the wplug
mailing list