|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: saruman
FLIPR.COMDate: Sat Apr 14 2001 - 00:14:07 CDT
On Fri, Apr 13, 2001 at 05:59:55PM +0200, Magnus Rixtorp wrote:
>
> BUT, if i rename /bin/netstat to /bin/netstat2 i get
Check your PATH, it could've been modified to read something like:
/.bin:/bin:/usr/bin:[..]
It would lead you to all the trojaned binaries. Alternatively, it
could (not extremely likely) be a kernel module there have been a couple
of publications on those (THC has a nice guide on how to hack the kernel.)
Perhaps lsof(8) will point to the process currently owning that
socket (inetd comes to mind as nice place to put a backdoor.)
Alex
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]