Subject: Re: system possibly compromised
To: Michal Pasternak <michal@pasternak.w.lub.pl>
From: Herb Peyerl <hpeyerl@beer.org>
List: netbsd-help
Date: 02/24/2004 10:04:52
Tue, 24 Feb 2004 17:51:49 +0100.
<20040224165149.GB27125@pasternak.w.lub.pl>
> Check out for listening sockets using netstat -an | grep LISTEN, for example.
Lots of rootkits wrap netstat, ps, du, ls, etc, to filter out evidence
of their existance. Look for strange directories in /dev using 'echo *'
and/or "find /dev -type d"
You're probably best off booting from a NetBSD CD and grovelling through
the machine.