On Mon, Mar 31, 2003 at 10:29:48AM +1000, Paul Hampson wrote:
> > If lose is found on the system
> > /usr/lib/tiger/systems/Linux/2/check_listeningprocs uses the
> > command:
> >
> > $LSOF -nPi | $GREP "IPv" | $GREP -v "\->" | $AWK '{printf("%s %s %s
> > %s\n", $1, $3, $7, $8)}' | $SORT | $UNIQ |
> >
> > It seems that it should `grep LISTEN` as well.
No. See below.
> >
> > Comments?
>
> I would guess that only TCP sockets get 'LISTEN' but I don't
> know the output of lsof to confirm this.
>
Precisely. TCP sockets get 'LISTEN' UDP sockets don't, try starting a udp
service (echo, chargen are fine) and check lsof's output.
Tiger initial version did "grep LISTEN" instead of the "grep -v \"->\"" (to
remove ESTABLISHED connections) but it would not detect UDP trojans that
way.
Regards
Javi
Attachment:
pgpgUFiNRMqZf.pgp
Description: PGP signature