[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: other mysterious port things

Tim Haynes writes:

<sigh> Why do people persist in using nmap at test phase? Sure, if you've
been cracked, scan yourself if you want, but if you're looking to see `what
do I have open?' then nmap is the *last* tool I'd use. Go back to sudo netstat -plan | grep LIST

Well...that would be incorrect. If you have been cracked, or suspect you might have, then you cannot completely rely on the output of netstat, ps, lsof, etc. Many of the rootkits I've seen quite effectively hide themselves behind trojan utilities and shared libs, making detection by such casual methods as you indicate difficult. An acurrate assessment requires more than a single tool. Ken Seefried, CISSP

Reply to: