[lug] intrusion
bgiles at coyotesong.com
bgiles at coyotesong.com
Wed Jun 13 12:53:11 MDT 2007
ps
# netstat -l | grep tcp
# netstat -l | grep udp
and use 'lsof -i tcp:xxxx' and 'lsof -i udp:xxxx' to identify the
processes behind unknown ports, and 'lsof -p pid' to identify all files
that the process has opened. You want to be sure that, e.g., 'sshd' is
the expected ssh daemon and not malware using the same name to trick the
unwary.
It should go without saying that that specific IP address should be
blocked by the firewall.
More information about the LUG
mailing list