Re: other mysterious port things

To: debian-security@lists.debian.org
Subject: Re: other mysterious port things
From: Hubert Chan <hubert@math.ualberta.ca>
Date: Tue, 29 May 2001 11:18:41 -0600 (MDT)
Message-id: <Pine.LNX.4.21.0105291111510.15460-100000@keg.math.ualberta.ca>
In-reply-to: <20010529133124.27058.qmail@mail.seefried.com>

On Tue, 29 May 2001, Ken Seefried wrote:

> Tim Haynes writes:
> > 
> > <sigh> Why do people persist in using nmap at test phase? Sure, if you've
> > been cracked, scan yourself if you want, but if you're looking to see `what
> > do I have open?' then nmap is the *last* tool I'd use.  
> > 
> > Go back to 
> >         sudo netstat -plan | grep LIST
> 
> Well...that would be incorrect.  If you have been cracked, or suspect you 
> might have, then you cannot completely rely on the output of netstat, ps, 
> lsof, etc.  Many of the rootkits I've seen quite effectively hide themselves 
> behind trojan utilities and shared libs, making detection by such casual 
> methods as you indicate difficult. 

Which is why nmap would be useful if you've been cracked: because you can
scan yourself from *another* *box* (which is how you're supposed to use
nmap).

Tim is just saying that if you *haven't* been cracked, use netstat instead
of nmap.

-- 
Hubert Chan
Research Associate
Prediction in Interacting Systems (MITACS-PINTS)
University of Alberta
Office: CAB 522
Ph: 492-4394
e-mail: hubert@math.ualberta.ca

Reply to:

References:
- Re: other mysterious port things
  - From: "Ken Seefried" <ken@seefried.com>

Prev by Date: Re: other mysterious port things
Next by Date: Re: other mysterious port things
Previous by thread: Re: other mysterious port things
Next by thread: losetup -e
Index(es):
- Date
- Thread